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Abstract 

A  timing-based  variant  of  the  mutual  delusion  problem  is  considered.  In  this  variant,  only 
an  upper-bound, eti  the  time  it  takes  to  release  the  resource  is  known,  and  no  explicit 
signal  is  sent  when  the  resource  is  released:  furthermore,  the  only  mechanism  to  measure 
real  time  is  an  inaccurate  clock,  whose  tick  intervals  take  time  between  two  constants.  ' 
ci  <  c2. 

W1  ten  control  is  centralized  it  is  proved  that 
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is  an  exact  bound  on  the  worst  case  response  time  fo,  -uch  algorithm,  where  n  is  the 
number  of  contenders  for  the  resource  and  /  is  an  upper  uund  on  process  step  time.  On 
the  other  hand,  when  control  is  distributed  among  processes  connected  via  communication 
lines  with  an  upper  bound,  d.  for  message  delivery  time,  it  is  proved  that 
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is  an  upper  bound.  A  new  technique  involving  shifting  and  shrinking  executions  is  combined 
with  a  careful  analysis  of  the  best  allocation  policy  to  prove  a  corresponding  lower  bound 
of 

n  ■  e2{irt/c\  j  -j-  ( >>  I  W. 

These  combinatorial  results  shed  some  light  on  modeling  and  vinification  issues  related  to 
real-time  systems. 
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1  Introduction 


An  important  area  of  computer  applications  A  real-time  process  control,  in  which  a  computer 
system  interacts  with  a  real-world  system  in  order  to  guarantee  certain  desirable  real-world 
behavior.  In  most  interesting  cases,  the  real-world  requirements  involve  timing  properties, 
and  so  the  behavior  of  tlx*  computer  system  is  required  to  satisfy  certain  timing  constraints. 
In  order  to  be  able  to  guarantee  timing  constraints,  the  computer  system  must  satisfy  some 
assumptions  about  time  -  for  example,  its  various  components  should  operate  at  known  speeds. 

It  is  clear  that  good  theoretical  work  in  the  area  of  real-time  systems  is  necessary.  In 
the  past  few  years,  several  researchers  have  proposed  new  frameworks  for  specifying  require-'- 
ments  of  such  systems,  describing  implementations,  and  proving  that  the  implementations 
satisfy  the  requirements.  These  frameworks  are  based  on.  among  others,  finite  state  machines 
( [DSo] ).  weakest  precondition  methods  (fllNJ]).  first  order  logic  ([.JMX6.  JM87]),  temporal  logic 
([B1IX1]).  Petri  nets  ([(.Rx.'i.  LSX7.  S 7 7 J ) .  and  process  algebra  ([I1GR87.  KSRGA88.  ZLG89]). 
Work  is  still  needed  in  evaluating  and  comparing  the  various  models  for  their  usefulness  in 
reasoning  about  important  problems  in  this  area  and  perhaps  in  developing  new  models  if 
these  prove  to  be  inadequate. 

Work  is  also  needed  in  developing  the  complexity  theory  of  such  systems;  very  little  work 
has  so  far  been  done  in  this  area.  An  example  of  the  kind  of  work  needed  is  provided  by  the 
theory  of  asynchronous  concurrent  systems  That  theory  contains  many  combinatorial  results 
that  show  what  can  and  cannot  be  accomplished  by  asynchronous  systems:  for  tasks  that  can 
be  accomplished,  other  combinatorial  results  determine  the  inherent  costs.  In  addition  to  their 
individual  importance,  these  results  also  provide'  a  testbed  for  evaluating  modeling  decisions 
and  a  stimulus  for  the  development  of  algorithm  verification  techniques.  Similar  results  should 
be  possible  for  real-time  systems.  Some  examples  of  complexity  results  that  have  already 
been  obtained  for  real-time  systems  are  the  many  results  on  clock  synchronization,  including 
[DIIS86.  HAIM85.  1.78.  LL81.  \VL88j  (see  [SWLS8]  for  a  survey). 

In  this  paper,  we  embark  on  a  study  of  complexity  results  for  real-time  systems.  We  begin 
this  study  by  considering  timing-based  variations  of  certain  problems  that  have  previously  been 
studied  in  asynchronous  concurrent  systems.  In  particular,  in  this  paper,  we  study  a  variant  of 
the  mutual  erchmion  /noblcm.  1'liis  problem  is  one  of  the  fundamental  problems  in  distributed 
computing:  it  serves  as  an  abstraction  of  a  large  class  of  hazard  avoidance  problems.  We  note 
that  this  particular  problem  appears  in  the  real-time  computing  literature  (c.f.  [JM87])  as  the 
"nuclear  reactor  problem".  There,  operators  push  different  buttons  to  request  the  motion  of 
different  control  rods  in  the  same  nuclear  reactor.  It  is  undesirable  to  have  more  than  one 
control  rod  moving  at  the  same  time,  presumably  since  in  that  case  the  nuclear  reaction  might 
be  slowed  down  *oo  much. 

More  W  .  ily  we  consider  a  system  consisting  oi  some  number,  a.  of  identical  moving 
parts  (e.g..  control  rods),  no  two  of  which  are  supposed  to  move  at  the  same  time.  An  operator 
associated  with  each  moving  part  can  request  permission  for  the  associated  part  to  move  by 
pushing  a  button  that  sends  a  H F.Ql'i'.ST  signal  to  the  computer  system.  The  system  responds 

■> 


with  GRAX I  signals:  each  (IRAS  I'  signal  gives  permission  to  the  designated  moving  part  to 
move,  hut  such  motion  is  expected  to  he  finished  no  more  than  a  fixed  time.  in.  later.  The 
system  is  onlv  supposed  to  issue  a  (IRAS  I  signal  when  ii  knows  that  it  is  sale  to  move  tile 
corresponding  moving  part.  i.e..  at  leasl  nil  lime  in  has  elapsed  since  the  last  GRAS  I  signal. 
We  assume,  for  simplicity,  that  a  R  E()  l  ES  I  signal  is  only  issued  by  a  particular  operator 
if  any  preceding  R KQl  RSI  by  that  operator  litis  already  been  satisfied  (by  a  corresponding 
GRAXT  signal).  Our  goal  is  to  minimize  the  worst-case  time  between  a  REQUEST  signal 
and  the  corresponding  GRAX'I  signal,  i.e..  t  fie  worst -rvst  rr  spawn  tniu. 

The  computer  system  might  consist  of  a  single  process  running  on  a  dedicated  proces¬ 
sor  or  might  be  a  distributed  system  running  on  separate  processors  communicating  over  a 
message  system.  Solving  the  problem  efficiently  requires  the  computer  system  to  make  ac¬ 
curate  estimates  of  the  elapsed  time  since  the  last  GRAX  T  signal:  the  difficulty,  however,  is 
that  the  computer  system  only  has  inaccurate  information  about  time,  as  given  by  inaccurate 
clock  components  within  the  system  and  by  estimates  of  the  time  required  for  certain  events. 
Specifically,  the  only  information  about  time  that  the  computer  system  has  is  the  following: 

1 .  the  knowledge  that  a  moving  part  will  stop  moving  within  time  m  after  a  GRAXT  signal. 

2.  the  knowledge  that  the  time  between  successive  ticks  of  any  clock  is  always  in  the  interval 
[rj .  c_> ] .  for  known  constants  «q  and  <  <.  when.'  0  <  rq  <  r2. 

‘V  the  knowledge  that  the  time  between  successive  steps  of  any  process  within  the  computer 
system  is  always  in  the  interval  [()./].  for  a  known  constant  1.0  <  /.  and 

4.  (if  the  system  is  distributed)  the  knowledge  that  the  time  to  deliver  t lie  oldest  message 
in  each  channel  is  no  greatci  than  a  known  constant  d.  0  <  d. 

In  the  cases  we  have  in  mind,  we  suppose  that  /  <<  <q  <  c>  <<  <<  hut  we  state 

explicitly  any  assumptions  that  we  require  about  relative  sizes  of  the  various  constants. 

One  way  in  which  our  problem  differs  from  the  mutual  exclusion  problem  usually  studied 
in  asynchronous  systems  is  that  we  do  not  assume  that  an  explicit  signal  is  conveyed  to  the 
computer  system  when  a  moving  part  stops  moving:  the  only  information  the  system  has  about 
the  completion  of  the  critical  activity  is  based  on  its  estimates  of  the  elapsed  time.  It  is  fairly 
typical  for  real-time  systems  to  use  time  estimates  in  order  to  make  deductions  about  real- 
world  behavior.  The  results  of  this  paper  indicate  some  of  the  costs  that  result  from  using 
such  estimates. 

We  obtain  the  following  results.  First,  we  consider  a  centralized  computer  system,  consist¬ 
ing  of  just  a  single  process  with  a  local  clock.  For  that  case,  we  show  that 

//  •  c2  I  ,  (  ">  -v  / )  /  r  i  j  -f-  l)-f-/ 

is  an  rrart  bound  on  the  worst-case  response  time  for  the  timing-based  mutual  exclusion  prob¬ 
lem.  The  upper  bound  result  arises  from  a  careful  analysis  of  a  simple  FIFO  queue  algorithm. 


while  the  matching  lower  hound  result  arises  from  explicitly  constructing  and  “retiming”  exe¬ 
cutions  to  obtain  a  contradiction. 

We  then  consider  the  distributed  case,  which  is  substantially  more  complicated.  For  that 
case,  we  obtain  very  close  (but  not  exact)  bounds:  an  upper  bound  of 

"  [^2  (  [(  m  +  /)/c,J  -F  1 )  +  d  +  c>  f  2/] 
and  a  lower  bound  of 

n  •  r_>(  m/c\  )  +  ( it  -  1  )</ 

Assuming  that  the  parameters  have  the  relative  sizes  described  earlier,  e.g..  that  cl  is  much 
larger  than  /.  <q  and  c>.  the  gap  between  these  two  bounds  is  just  slightly  more  than  a  single 
message  delay  time.  The  upper  bound  arises  from  a  simple  token-passing  algorithm,  while 
the  lower  bound  proof  employs  a  new  technique  of  shifting  some  of  the  events  happening  ai  a 
process  while  carefully  retiming  other  events. 

The  model  that,  we  use  for  proving  our  results  is  the  I/O  automaton  model  [LT87].  which 
has  been  extended  recently  to  include  timing  [MMT88].  As  noted  earlier,  many  people  are 
working  on  the  development  of  other  models  and  frameworks  for  reasoning  about  real-time 
systems.  The  most  popular  way  of  evaluating  such  frameworks  involves  their  application  to  the 
specification  and  verification  of  substantial  examples  of  practical  utility.  This  paper,  however, 
suggests  a  complementary  approach.  Since  a  framework  for  real-time  processing  should  allow 
proof  of  combinatorial  upper  and  lower  bound  and  impossibility  results,  in  addition  to  allowing 
specification  and  verification  of  systems,  careful  proofs  of  combinatorial  results  such  as  those 
in  this  paper  should  teach  us  a  good  deal  about  the  appropriateness  of  a  model  for  real-time 
processing. 

The  rest  of  this  paper  is  organized  as  follows.  Section  2  presents  the  timed  I/O  automaton 
model.  Section  3  contains  the  general  statement  of  the  problem  to  be  solved.  Section  4  contains 
our  results  for  the  centralized  case,  Section  5  contains  our  results  for  the  distributed  case,  and 
Section  G  contains  some  discussion  and  open  problems. 

2  Model  and  Definitions 

2.1  I/O  Automata 

An  I/O  automaton  consists  of  the  following  components:  a  set  of  actions .  classified  as  output, 
input  and  internal,  a  set  of  states,  including  a  distinguished  subset  called  the  start,  states,  a 
set  of  {state,  action,  state)  triples  called  steps,  and  a  partition  of  the  locally  controlled  (output 
and  internal)  actions  into  equivalence  classes.  An  action  ir  is  said  to  be  enabled  in  a  state 
s'  provided  that  there  is  a  slep  of  the  form  (s'.x.s).  An  automaton  is  required  to  be  input 
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enabled ,  which  means  that  every  input  action  must  be  enabled  in  every  state.  The  partition 
groups  actions  together  that  are  to  be  thought  of  as  under  the  control  of  the  same  underlying 
process. 

Concurrent  systems  are  modeled  by  compositions  of  1/0  automata,  as  defined  in  [LT87],  In 
order  to  be  composed,  automata  must  be  strongly  compatible ;  this  means  that  no  action  can  be 
an  output  of  more  than  one  component,  that  internal  actions  of  one  component  are  not  shared 
by  any  other  component,  and  that  no  action  is  shared  by  infinitely  many  components.  The 
result  of  such  a  composition  is  another  I/O  automaton.  The  hiding  operator  can  be  applied  to 
reclassify  output  actions  as  internal  actions. 

We  refer  the  reader  to  [LT87]  for  a  complete  presentation  of  the  model  and  its  properties. 

2.2  Timed  Automata 

We  augment  the  I/O  automaton  model  as  in  [MMT88]  to  allow  discussion  of  timing  properties. 
Namely,  a  timed  I/O  automaton  is  an  I/O  automaton  with  an  additional  component  called 
a  boundmap.  The  boundmap  associates  a  dosed  subinterval  of  [0,oo]  with  each  class  in  the 
automaton's  partition;  to  avoid  certain  boundary  cases  we  assume  that  the  lower  bound  of  each 
interval  is  not  oo  and  the  upper  bound  is  nonzero.  This  interval  represents  the  range  of  possible 
differences  between  successive  times  at  which  the  given  class  gets  a  chance  to  perform  an  action. 
We  sometimes  use  the  notation  MO  to  denote  the  lower  bound  assigned  by  boundmap  6  to 
class  C,  and  bu(C )  for  the  corresponding  upper  bound. 

A  timed  sequence  is  a  sequence  of  alternating  states  and  (action, time)  pairs: 

■SOi  (tf  1 '  ft  )>  '-"it  (^2-h )  •  •  • 

Define  t0  =  0.  The  times  are  required  to  be  nondecreasing,  i.e.,  for  any  i  >  1  for  which  t, 
is  defined,  f,  >  f;_ i,  and  if  the  sequence  is  infinite  then  the  times  are  also  required  to  be 
unbounded.  For  any  finite  timed  sequence  n  define  tend[a)  to  be  the  time  of  the  last  event  in 
a,  if  a  is  nonempty,  or  0,  if  a  is  empty;  for  an  infinite  timed  sequence  a,  tend(a)  =  oo. 

A  timed  sequence  is  said  to  be  a  timed  execution  of  a  timed  automaton  A  with  boundmap 
b  provided  that  when  the  time  components  are  removed,  the  resulting  sequence  is  an  execution 
of  the  I/O  automaton  underlying  .4,  and  it  satisfies  the  following  conditions  for  each  class  C 
of  the  partition  of  A  and  every  i: 

1.  Suppose  bu{C)  <  oo.  If  some  action  in  C  is  enabled  in  .?,■  and  one  of  the  following  holds: 
either  i  =  0  or  no  action  in  C  is  enabled  in  st_ \  or  is  in  C,  then  there  exists  j  >  i 
with  tj  <  t,  +  bu(C)  such  that  either  itj  is  in  C  or  no  action  of  C  is  enabled  in  s:. 

2.  If  some  action  in  C  is  enabled  in  ,s,  and  eithei  i  =  0  or  no  action  in  C  is  enabled  in 
or  a-,  is  in  C.  then  there  does  not.  exist  j  >  i  with  tj  <  tx  +  MO  and  K.i  i"  C- 


The  first  condition  says  that,  starting  from  when  an  action  in  C  occurs  or  first  becomes 
enabled,  within  time  bu(C)  either  some  action  in  C  occurs  or  there  is  a  point  at  which  no  such 
action  is  enabled.  The  second  condition  says  that,  again  starting  from  when  an  action  in  C 
occurs  or  first  becomes  enabled,  no  action  in  C  can  occur  before  time  bt(C)  has  elapsed.  The 
third  condition  merely  requires  that  the  steps  taken  by  the  automaton  are  indeed  legal. 

Note  that  the  definition  of  a  timed  execution  includes  a  liveness  condition  (in  1.)  in  addition 
to  safety  conditions  (in  both  1.  and  2.].  For  finite  timed  sequences,  it  is  sometimes  interesting 
to  consider  only  the  safety  properties.  Thus,  we  define  a  weaker  notion,  as  follows.  A  finite 
timed  sequence  is  said  to  lie  a  timed  semi-execution  provided  that  when  the  time  components 
are  removed,  the  resulting  sequence  is  an  execution  of  the  I/O  automaton  underlying  A,  and 
it  satisfies  the  following  conditions,  for  every  class  C  and  i. 

1.  Suppose  bu(C)  <  oo.  If  some  action  in  C'  is  enabled  in  s,  and  one  of  the  following 
holds:  either  i  —  0  or  no  action  in  C  is  enabled  in  s,_i  or  n,  is  in  C,  then  either 
tenij(a)  <  ti  +  bu(C)  or  there  exists  j  >  i  with  t3  <  ti  +  bu{C)  such  that  either  try  is  in  C 
or  no  action  of  C  is  enabled  in  s}. 

2.  Condition  2.  above. 

Intuitively,  timed  semi-executions  represent  sequences  in  which  the  safety  conditions  de¬ 
scribed  by  the  boundinap  are  not  violated.  The  following  lemmas  say  that  such  a  sequence  can 
be  extended  to  a  timed  execution  in  which  the  liveness  conditions  described  by  the  boundmap 
are  also  satisfied. 

Lemma  2.1  If  a  is  a  timed  semi-execution  of  a  timed  automaton  A  and  no  locally  controlled 
action  of  A  is  enabled  in  the  final  state  of  a.  the  n  a  is  a  timed  execution  of  A. 

Proof:  Straightforward.  ■ 

Lemma  2.2  Let  {o,}^  be  a  sequence  of  timed  semi- executions  of  a  timed  automaton  A  such 
that 

1.  for  any  i  >  1 ,  a,  is  a  prefix  of  a,+i ,  and 

2.  lim, — x,  tenfi ft,)  =  oc. 

Then  there  exists  an  infinite  timed  execution  o  of  A  such  that  for  any  i  >  1,  a,  is  a  prefix  of 
n . 

% 


Proof:  Straightforward. 


Lemma  2.3  Let  .4  be  a  timed  automaton  having  finitely  many  clause*  in  its  partition,  and  let 
a  be  a  timed  semi-execution  of  A.  Then  there  is  a  tinud  execution  <\'  of  A  that  extends  a. 
such  that  only  events  from  classes  with  finite  upper  bentnel  occur  in  ex'  after  n. 

Proof:  First,  for  each  class  C  and  each  finite  timed  semi-execution  3 .  we  define  a  time 
r leadline(3,C )  to  represent  the  latest  time  after  the  end  of  3  by  which  an  action  of  C  must 
occur  in  order  to  satisfy  the  liveness  requirements.  The  definition  is  by  induction  on  the  number 
of  events  in  3.  In  the  base  case  3  consists  of  a  single  start  state  so-  and  we  define,  for  any 
class  C  such  that  some  action  in  C  is  enabled  in  s0 ,  deadline (3. C)  =  bu(C).  Otherwise,  let 
deadline(3.C)  =  oc.  Let 

3  =  s0,(xiJi).s\ . ( ~j .  Ij ). 

and  assume  we  have  defined  deadline  for  all  finite  timed  semi-executions  with  j  —  1  events. 
Denote 

3’  =  So-  ( 7T  i  .  t\ ),  S] . (  7T  j  —  l ,  /j_  1  • 

Let  g  C:  then  deadline! 3. C )  =  t ,  +  bu(C)  if  some  action  in  C  is  enabled  in  and 
deadline! 3 ,C )  =  x,  otherwise.  For  any  class  D  C,  deadline! 3,  D)  =  tj  +  bu{D)  if  some 
action  in  D  is  enabled  in  *j  and  no  action  in  I)  is  enabled  in  .s j ;  if  some  action  in  D  is  enabled 
in  Sj  and  also  some  action  in  D  is  enabled  in  .$,_].  then  deadline! 3 •  D)  =  deadline!  3' .  D):  if 
no  action  in  D  is  enabled  in  s},  then  el(adline(3,  D)  =  oc.1 

We  construct  o'  as  the  limit  of  a  sequence  {ct;}-L,  of  timed  semi-executions,  where  O]  =  a. 
Starting  from  a,,  we  define  o1+i  as  follows.  Let  C  be  a  class  that  has  an  action  enabled  in 
the  final  state  of  a,,  for  which  the  value  of  deeidline{oi,C)  is  minimum  among  all  such  classes. 
Then  a,+i  is  obtained  from  a,  by  appending  a  sirgle  enabled  action  from  C,  occurring  at  time 
dcadline(ai,C).  If  there  is  no  such  class,  then  we  define  o,+i  =  a,.  Clearly,  a,-  is  a  timed 
semi-execution. 

It  remains  to  verify  that  o',  the  limit  of  the  o„  is  a  timed  execution.  There  are  three  cases. 

1.  o'  is  a  finite  sequence.  Then  o'  =  a,  for  some  i  such  that  no  action  in  any  class  is  enabled 
in  the  final  state  of  n,.  Then  Lemma  2.1  implies  that  ex'  is  a  timed  execution. 

2.  o'  is  an  infinite  execution  in  which  the  time  component  is  unbounded.  Then  Lemma  2.2 
implies  that  a'  is  a  timed  execution. 

3.  o'  is  an  infinite  execution  in  which  the  time  component  is  bounded.  The  facts  that  there 
are  only  finitely  many  classes  and  the  values  of  bu(C)  are  nonzero  imply  that  there  is 
some  bound  e-  >  0  such  that  t,n(i(  o(+i )  >  trn,i!  o, )  +  e  for  all  i.  This  implies  that  this 
case  cannot  occur. 

'These  rides  are  similar  to  the  rules  given  for  maintaining  the  variable  Ltime(C)  in  the  ttmc(A)  definition 
in  the  following  subsection. 


For  any  timed  execution  or  semi-execution  o  we  define'  srh(d{ o  )  to  1)0  the  sequence  of 
iai  tiou.time)  pairs  occurring  in  o.  i.e..  n  witli  the  states  removed.  We  say  that  a  sequence  of 
(action. time)  pairs  is  a  /mini  si/nduh  of  1  if  it  is  scinch  a),  where  n  is  a  timed  execution  of 
.1.  We  also  delitu  In  hin)  to  l>e  the  siihse(|tier ce  of  sche(l(a )  consisting  of  external  (input  and 
output  )  actions  and  associated  times,  and  say  that  a  sequence  of  (action, time)  pairs  is  a  timed 
hi  htivior  of  .1  if  it  is  bt  li(  o  ).  where  o  is  a  timed  execution  of  .4. 

Definitions  for  composing  timed  automata  to  yield  another  timed  automaton,  analogous  to 
those  lor  1/0  automata,  are  developed  in  [MM  I  ssj.  We  model  real-time  systems  as  composi¬ 
tions  of  tiiin'd  automata.  (Real-time  s'  .tents  were  also  modeled  in  this  way  in  [L88].) 

2.3  Adding  Time  Information  to  the  States 

We  would  like  to  ttse  standard  proof  techniques  such  as  invariant  assertions  to  reason  about 
timed  automata.  In  order  to  do  this,  we  find  it  convenient  to  define  an  ordinary  I/O  automaton 
tinif(A)  corresponding  to  a  given  timed  automaton  .4.  This  new  automaton  has  the  timing 
restrictions  of  .4  huilt  into  its  state,  in  the  form  of  predictions  about  when  the  next  event 
in  each  class  will  occur.  Thus,  given  any  timed  I/O  automaton  .4  having  boundmap  b.  the 
ordinary  I/O  automaton  timc(A)  0  defined  as  follows. 

fhe  automate:!  tinif(A)  has  actions  of  the  form  (7 r.t).  where  t r  is  an  action  of  .4  and  t 
is  a  non  negative  real  number.  Facli  of  its  states  consists  of  a  state  of  .4,  augmented  with  a 
time  called  (  'time  and.  for  each  class  C  of  the  partition,  two  times.  Ftime(C)  and  Ltimc(C). 
Ctimr  (the  "current  time")  represents  the  time  of  the  last  preceding  event,  initially  0.  The 
Ftimr(C)  and  I, time  ((’)  components  represent,  respectively,  the  fust  and  last  times  at  which 
an  action  in  class  f  is  scheduled  to  be  performed  (assuming  some  action  in  C  stays  enabled). 
(We  use  record  notation  to  denote  the  various  components  of  the  state  of  tinn(A):  for  instance, 
s.Astatr  denotes  the  state  of  .4  included  in  state  a  of  t inie(  A).)  More  precisely,  each  initial 
state  of  firm  (A )  consists  of  an  initial  state  ,*  of  .4.  plus  C'time  =  0.  plus  values  of  Ftimr(C) 
and  Ltime(C)  with  the  following  properties.  If  there  is  an  action  in  C  enabled  in  s.  then 
Ftinif.(C)  -  bf(C)  and  Llimr(C)  =  bv(C).  Otherwise,  Ftime(C)  =  0  and  Ltime(C)  =  oc. 

If  ( 7r .  t )  is  an  action  of  timed  A),  then  (.s'.  (-./).  *)  is  a  step  of  time(A  )  exactly  if  the  following 
conditions  hold. 

1.  (*'  .Astat  ( .  7T .  s.Astatr )  is  a  step  of  .4. 

2.  s'.C'tiun  <  t  —  S.Ctihn  . 

3.  If  7T  i,-.  a  locally  controlled  action  of  .1  in  class  ('.  then 

(a)  s'  .Ftimc  ((')  <  t  £  s' .  It  mu  ((  ' ). 


s 


'!>)  i!  some  artiun  ii  ('  is  enabled  in  [suih  .  thou  It 1  nn  (f ' )  =  t  J-  b,(C)  and 
I  f  i  iin  ‘  •  —  t  -+  !>„((.').  and 

if)  il  no  act  ion  i  n  (  '  is  'maided  in  s.Aslah.  t  lion  s.Et  i  nn  {(.' )  =  0  and  s.Ltimr  (( ' )  =  x . 
!.  lor  all  rlassos  I)  such  that  -  is  not  in  class  !). 
la)  I  <  s'  .1 1 nai  [  I)  ,. 

ih)  if  som<‘  action  in  I)  is  onafdod  in  s. Astute  and  some  action  in  I)  is  enabled  in 
s'..  1  stall  t  hon  s ./  / i mi  (  D)  —  s'.  I  I ime(  D)  and  s.Lt i me (  D)  =  s' .l.ti nil  (  P). 

*  c )  if  some  action  in  D  is  enabled  in  s  Astah  and  no  action  in  1)  is  enabled  in  s'.  Astute 
tl.on  s.EtinnA  I) )  =  I  T  !>i{  D)  and  s.Ltinie(  [))  =  (  +  l>„{  P)-  and 

;  d  1  if  no  act  ion  in  I)  is  on  a  bled  in  s.  A*latc.  then  s.Ft  inn  { I) )  =  0  and  s.Lt inn  (D)  =  x . 

No  fat  proport  >  1(a)  ensures  that  an  a.  Mon  does  not  occur  if  any  other  class  has  an  action 
that  must  be  scheduled  first.  The  partition  classes  of  timc(A)  are  derived  one-for-one  from  the 
classes  of  .1  (although  we  will  not  need  them  in  this  paper). 

fhe  finite  executions  of  timc{A).  when  the  states  are  projected  onto  their  Astute  compo¬ 
nents.  are  exactly  the  same  as  the  finite  prefixes  of  the  timed  executions  of  A.  This  implies 
that  safety  properties  of  a  timed  automaton  .1  can  be  proved  by  proving  them  for  tinie(A). 
e.g..  using  invariant  assertions. 

3  Problem  Statement 

l  or  either  the  centralized  or  distributed  case,  we  assume  that  there  are  ?i  modules  called  moving 
parts,  n  modules  called  operato  r  plus  some  modules  comprising  the  computer  system.  The 
actions  of  the  complete  system,  exclusive  of  any  internal  actions  of  the  computer  system,  are 
IiEQVEST(i),  GRANT(i)  and  FINISH(i).  for  0  <  /  <  n  —  1.  Each  operatur(i)  has  input  action 
(1RAST(  i)  and  output  action  RF.QUEST(i).  Each  movinejparf(  i)  has  input,  action  GRANT(i) 
and  output  action  FINISH(i).  The  computer  system  has  input  actions  REQUEST(i)  for  all  i 
and  output  actions  GRANT(i)  for  all  i.  See  Figure  1. 

Let  morinfipart(i)  be  a  particular  timed  automaton  with  the  given  signature,  having  a 
state  consisting  of  one  component.  GRANTED,  a  Boolean  variable,  initially  false. 

GRAST(') 

Effect: 

GRANTED  :=  Inn 

n  sisii  in 

Brecondit  ion: 

GRANTED  =  true 


Figure  1:  The  system  architecture. 


Effect: 

GRANTED  :=  false 

There  is  only  one  class  in  the  partition  for  movingpart(i),  a  singleton  containing  the  one 
action  FINISH(i).  The  boundmap  associates  the  interval  [0,m]  with  this  class.  As  described  in 
the  Introduction,  the  timed  executions  of  this  timed  automaton  have  the  property  that,  within 
time  m  af>.:  a  GRANT(i)  occurs,  a  FINISH(i)  must  also  occur  -  that  is,  movingpart(i)  "stops 
moving”. 

Now  consider  utrator(i).  It  is  described  as  an  automaton  with  the  maximum  amount 
of  freedom  r .  to  allow  to  the  operator.  Let  operator(  i)  be  the  timed  automaton  with 

the  appropriate  signature,  having  a  state  consisting  of  one  component,  PUSHED,  a  Boolean 
variable,  initially  * 

GRA.XT(t) 

Effect: 

PUSHED  :=  false 
REQUEST(i) 

Precondition: 

PUSHED  =  false 
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Effect: 


PI  SHED  :=  true 


Again,  there  is  only  one  (singleton)  class  in  the  partition  for  operator(i).  We  do  not  want  to 
insist  that  the  operator  push  the  button  within  a  particular  amount  of  time  after  a  GRANT. 
(It  may  never  do  so,  in  fact.)  Thus,  we  define  the  boundmap  to  assign  the  interval  [Choc]  to 
this  one  class. 

The  requirement  for  the  computer  system  is  that  when  iL  is  composed  with  the  given 
operators  and  moving  parts,  the  resulting  system  has  all  its  behaviors  satisfying  the  following 
conditions: 

1.  Request  well-formedness:  For  any  0  </<??  —  1,  REQVEST(i)  and  GRANT(i)  actions 
alternate,  starting  with  a  REQUEST(i). 

2.  Moving  part  well-formedness:  For  any  0  <  /  <  n  —  1.  GRANT(i)  and  FINISII(i)  actions 
alternate,  starting  with  GRANT(i). 

3.  Mutual  exclusion:  There  are  never  two  consecutive  GRANT  events  without  an  interven¬ 
ing  FINISH  event. 

4.  Eventual  granting:  Any  REQVEST(i)  event  has  a  following  GRANT{i )  event. 

We  measure  the  performance  of  the  system  by  the  worst  case  response  time .  i.e.,  the  longest 
time  between  REQVEST(i)  and  the  next  subsequent  GRANT(i)  in  any  timed  behavior. 


4  A  Centralized  System 

We  first  consider  the  case  of  a  “centralized”  computer  system  to  solve  this  exclusion  problem. 
In  this  case,  the  architecture  is  as  follows.  There  are  two  modules  (timed  I/O  automata),  the 
manager  and  the  clock.  The  clock  has  only  one  action,  the  output  TICK ,  which  is  always 
enabled,  and  has  no  effect  on  the  clock’s  state.  It  can  be  described  as  the  particular  one-state 
automaton  with  the  following  steps. 

TICK 

Precondition: 

true 

Effect: 


none 


Figure  2:  The  architecture  of  the  centralized  control  system. 

The  boundmap  associates  the  interval  [ci.c2]  with  the  single  class  of  the  partition.  This  means 
that  successive  TICK  events  will  occur  with  intervening  times  in  the  given  interval. 

The  manager  has  input  actions  TICK  and  REQUEST(i)  for  all  i ,  and  output  actions 
GRANT(i).  It  is  an  arbitrary  automaton,  subject  to  the  restriction  that  it  has  only  a  single 
class  in  its  partition.  (This  says  that  it  is  really  a  sequential  process  -  it  cannot  be  running 
several  processes  in  parallel.)  We  associate  the  boundmap  [0,/]  with  the  single  class  of  locally 
controlled  actions.  This  means  that  successive  locally-controlled  steps  of  the  manager  are  done 
within  the  given  intervals  (if  there  are  any  enabled). 

The  computer  system  is  the  composition  of  the  manager  and  the  clock,  (with  the  I/O 
automaton  hiding  operator  applied  to  hide  the  TICK  actions).  See  Figure  2. 

Note  that  the  timed  automaton  model  forces  us  to  model  the  step  time  of  the  manager 
process  explicitly.  Other  models  (e.g.,  the  one  used  for  clock  synchronization  in  [WL88])  might 
avoid  this  level  of  detail  by  hypothesizing  that  the  manager’s  steps  are  triggered  only  by  input 
events  such  as  clock  ticks  or  requests.  We  regard  such  a  model  (informally)  as  a  limiting  case 
of  our  model,  as  the  upper  bound  on  manager  step  time  approaches  zero. 

4.1  Upper  Bound 

4.1.1  The  Algorithm 

The  following  simple  algorithm  for  the  manager  process  solves  the  problem.  The  manager 
simply  puts  requests  on  a  FIFO  queue.  If  there  is  a  pending  request,  the  manager  issues  a 
GRANT  signal  to  the  node  whose  request  is  first  on  the  queue,  and  sets  a  timer  to  measure 
the  time  until  the  moving  part  stops  moving.  When  the  timer  goes  off,  the  manager  repeats. 

There  is  some  subtlety  in  determining  the  minimum  number  of  clock  ticks  that  guarantee 
that  time  m  has  elapsed  since  the  GRANT.  At  first  glance,  one  might  be  tempted  to  count 
[m/cij  +  1  ticks,  but  a  careful  examination  shows  that  this  might  cause  a  violation  of  the 
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exclusion  property,  if  a  TICK  happens  immediately  after  the  GRANT ,  and  the  next  GRANT 
happens  immediately  after  the  last  TICK.  Waiting  for  [m/cQ  +  2  suffices  to  overcome  this 
difficulty,  but  the  lower  bound  presented  in  Subsection  4.2  suggests  that  this  might  not  be 
optimal.  In  order  to  achieve  the  best  possible  timing  performance,  the  algorithm  only  grants 
immediately  after  a  clock  tick,  and  the  timer  is  set  to  [{in  -f  l)/c ij  +  1  clock  ticks. 

In  addition  to  the  REQUEST  and  TICK  inputs  and  GRANT  outputs  already  specified, 
the  manager  has  an  internal  action  ELSE.  This  action  is  enabled  exactly  when  no  output 
action  is  enabled:  this  has  the  effect  of  ensuring  that  locally  controlled  steps  of  the  manager 
occur  at  (approximately)  regular  intervals,  as  determined  bv  the  manager's  boundmap. 

The  manager's  state  is  divided  into  components: 

TICKED  holding  a  boolean  value,  initially  true ; 

QUEUE  holding  a  queue  of  indices  i  €  [0..n  -  1],  initially  empty; 

TIMER  holding  an  integer,  initially  0; 

The  manager’s  algorithm  is  as  follows: 

REQUEST(i).  0  <  i  <  n  -  1 
Effect: 

add  i  to  QUEUE 

TICK 

Effect: 

TIMER  :=  TIMER  -1 
TICKED  :=  true 

GRANT(i ),  0  <  i  <  n  -  1 
Precondition: 

i  is  first  on  QUEUE 
TIMER  <  0 
TICKED  =  true 

Effect: 

remove  i  from  front  of  QUEUE 
TIMER  :=  [(m  +  /)/c,J  +  1 
TICKED  :=  false 

ELSE 

Precondition: 

QUEUE  is  empty  or  TIMER  >  0  or  TICKED  =  false 

Effect: 

TICKED  :=  false 


1.4 


4.1.2  Correctness  Proof 


Let  .4  be  the  composition  of  the  four  given  kinds  of  timed  automata  -  operators,  moving  parts, 
manager  and  clock.  This  subsection  is  devoted  to  proving  the  following  theorem. 

Theorem  4.1  Algorithm  ,1  is  a  cornet  c<  at ralized  resource  allocation  algorithm. 

We  prove  correctness  using  automaton  time(A).  as  defined  above.  In  this  case,  the  system 
state  is  augmented  with  the  variable  dime ,  plus  the  variables  Flimc  and  Ltiinc.  for  the 
following  partition  classes: 

1.  REQFEST{i)  for  each  /.  which  contains  the  single  action  REQVEST(i). 

2.  FINISH{i)  for  each  i.  which  contains  the  single  action  FINISH{i). 

3.  TICK .  which  contains  the  single  action  TICK,  and 

1.  LOCAL,  the  locally  controlled  actions,  which  contains  all  the  actions  GRANT(i).Q  < 
i  <  n  -  1  and  the  ELSE  action. 

Initially,  we  have  Ftimc{REQUEST(i))  =  0.  it ime(  REQUF.ST(i))  =  oo.  Ftime(FINISH(i))  = 
0  and  Ltime(FINISH(i))  =  oo.  Ftime(TICK)  =  C],  Ltime(TICK)  =  C2-  Ftime(LOCAL)  =  0 
and  Ltimc(LOCAL)  =  l. 

The  proof  of  mutual  exclusion  rests  on  the  following  invariant  for  tirne(A). 

Lemma  4.2  Let  s  he  a  reachable  state  of  time(A).  Then  the  following  all  hold: 

1.  If  FISTS II (i)  is  enabled  in  s. Astute,  then 

(a)  s.  TIMER  >  0, 

(bj  s.Ftime(TICK)  -f  {s. TIMER  -  l)ci  >  s.Ltime(  FIKISH(i)).  and 
(cj  FINISH (j)  is  not  enabled  in  s. Astute ,  for  any  j  ^  i. 

2.  If  s  TICKED  then  s.Ftime(TICK)  >  s.Lt ime(LOCAL)  +  ci  —  l. 

Thus,  if  a  part  is  moving,  the  manager's  TIMER  is  positive.  Moreover,  the  TIMER  is  large 
enough  so  that  waiting  that  number  of  ticks  would  cause  enough  time  to  elapse  so  that  the 
part  would  be  guaranteed  to  have  stopped  moving.  Property  1(c)  implies  mutual  exclusion, 
while  property  2  guarantees  a  lower  bound  on  the  time  till  the  next  TICK ,  if  no  LOCAL  step 
has  occurred  since  the  previous  TICK. 

1  lie  proof  of  correctness  is  done  in  careful  detail:  since  it  is  quite  straightforward,  we  include 
it  in  Appendix  AT. 
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Proof:  (of  Theorem  4.1)  Lemma  4.2  implies  mutual  exclusion.  Moving  part  well-formedness 
follows  easily  from  the  same  lemma  and  the  definition  of  the  moving  part.  Request  well- 
formedness  follows  from  the  definitions  of  the  operators  and  the  manager.  The  remaining 
condition,  eventual  granting,  can  be  argued  from  the  queue-like  behavior  of  the  manager  and 
the  fact  that  the  clock  keeps  ticking.  (This  latter  property  also  follows  from  the  formal  proof 
of  the  upper  bound  on  response  time  in  the  following  subsection.)  ■ 

4.1.3  Response  Time 

Now  we  prove  our  upper  bound  on  response  time  for  the  given  algorithm  .4. 

Theorem  4.3  Assume  that  I  <  e^.  Tin  worst  case  response  time  for  algorithm  .4  is  at  most 

n  [c2  ([(mi /)/ciJ  +  1)]  i  /. 

The  proof  of  this  theorem  requires  several  lemmas. 

Lemma  4.4  In  any  reachable  state  there  are  at  most  n  entries  in  QUEUE. 

Proof:  We  have  already  argued  that  all  timed  executions  of  the  system  are  request  well- 
formed,  i.e.,  REQUEST{i)  and  GRANT(i)  alternate  for  any  0  <  i  <  n  —  1,  starting  with 
REQUEST(i).  The  preconditions  for  REQVEST(i)  and  the  operation  of  the  manager  imply 
that  when  REQUEST(i)  happens,  i  is  not  in  the  queue.  A  simple  induction  implies  that  in 
any  reachable  state  of  the  system,  i  appears  only  once  in  QUEUE.  ■ 

Lemma  4.5  In  any  reachable  state  s,  s. TIMER  <  [(m  +  l)/c\\  +  1. 

Proof:  By  an  easy  induction.  ■ 

Lemma  4.6  Let  s  be  any  state  occurring  in  a  timed  execution,  in  which  s.  TIMER  <  fc,  for 
k  >  1.  Then  (at  least)  one  of  the  following  tiro  conditions  holds. 

1.  s.  TIMER  <  0  and  s.  TICKED  =  true,  or 

2.  the  tim.e  from  the  given  occurrence  of  s  until  a  later  TICK  event  resulting  in  TIMER  <  0 
is  bounded  above  by  C7,  ■  k. 

Proof:  Suppose  that  it  is  not  the  case  that  s. TIMER  <  0  and  s. TICKED  =  true.  Then  a 
GRANT  cannot  occur  until  a  state  is  reached  in  which  TIMER  <  0  and  TICKED  =  true, 
and  this  condition  requires  at  least  one  TICK  to  occur  after  the  given  occurrence  of  s.  The 
bound  follows  from  the  upper  bound  on  clock  time,  the  way  the  TICK  actions  manipulate  the 
TIMER,  and  the  way  the  variable  TICKED  gets  set.  ■ 
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Proof:  (of  Theorem  1  ..‘i )  W  hen  a  request  arrives.  it  is  at  worst  in  position  n  on  the  QUEUE, 
by  I.emnia  1.1.  By  lemmas  l.n  and  f.(i.  eit  ln>r  !  I M  Id  R  <  0  and  TICKED  =  true  at  the  time 
when  the  request  arrives,  or  else  within  time  e2([(in  +  l)/cy J  +  1)  a  TICK  event  (call  it  7Ti ) 
occurs  which  sets  TIMER  to  0.  In  the  former  case,  there  must  be  a  TICK  event  occurring 
prior  to  the  request  that  sets  TIMER  <  0.  with  no  intervening  local  events;  let  7T]  denote  this 
TICK  ('vent.  In  either  case,  within  time  l  after  rr,  (but  after  the  request)  the  first  entry  gets 
its  request  granted  and  gets  removed  from  the  QEEEE.  and  'TIMER  is  set  to 

H  >»  +  I )/ c t j  +  I. 

Since  /  <  C|.  within  time  r,  after  ~j.  another  TICK  event  occurs,  this  one  decreasing 
TIMER  to  ( L(  m  -f  /)/r t J ). 

Immediately  after  .  either  TIMER  =  0,  or  [(>» -f/)/ciJ  >  1;  in  this  latter  case,  by  Lemma 
4.(3.  within  at  most  time  c2  ( |_(  m  +  l)/c\ J )  after  gj .  a  TICK  event,  occurs  t  hat  sets  TIMER  <  0. 
Thus,  in  either  case,  from  event  until  another  TICK  event  tt2  that  sets  TIMER  <  0.  at 
most 


c’2  ( [( tu  +  /)/c ij  +  1 ) 

time  elapses.  The  next  entry  in  the  queue  is  enabled  immediately  after  7^.  In  this  manner,  we 

can  construct  a  sequence  of  TICK  events,  7TX . such  that  the  time  between  7r,  and  7r,+1. 

for  each  i.  1  <  i  <  n ,  is  at  most 

c-A  L('"  +  O/f’tJ  +  1). 

and  for  any  L  <  i  <  ».  the  Eth  entry  on  the  original  queue  (if  there  is  any)  is  enabled  after  7^. 
Hence,  within  time 

h[cj(L(»?  +  /)/c,J  +  1)]. 

the  enabling  condition  is  satisfied  for  the  given  request.  Then  within  time  at  most  l  afterwards, 
the  request  is  granted.  This  completes  the  proof  of  the  upper  bound  on  response  time.  ■ 


Note  that  this  proof  requires  the  assumption  that  /  <  ct;  in  case  this  assumption  is  not 
made,  an  analysis  similar  to  the  one  in  the  proof  above  yields  a  slightly  higher  upper  bound  of 

n  [cj{  [(  w  4-  /  )/r i  J  +  1  )  +  /]  . 

\ Iso.  note  that  the  limit  of  the  given  u ppor  bound,  as  /  approaches  0.  is  n  ■  c2(  [m/ci J  +  I ). 
Me  think  of  this  as  an  upper  bound  for  this  algorithm  when  it  is  run  on  an  interrupt -driven 
model. 


Hi 


It  follows  from  the  lower  bound  in  Section  -1.2  that  algorithm  .4  has  optimal  response  time. 
This  seems  to  imply  that  the  best  policy  is  1o  issue  a  GRANT  right  after  a  TICK .  This  is 
apparently  because  a  time  estimate  done  immediately  after  a  clock  TICK  is  the  most  accurate. 

Although  this  proof  is  currently  written  in  terms  of  executions,  it  seems  that  the  invari¬ 
ant  assertion  techniques  for  time-augmented  automata  developed  above  could  be  extended  to 
handle  response  time  analysis;  preliminary  results  in  that  direction  appear  in  [LA]. 

4.2  Lower  Bound 

Now  we  turn  to  proving  lowe  r  bounds.  We  begin  with  a  fairly  simple  lower  bound  result  that  is 
quite  close  to  the  upper  bound  proved  in  the  preceding  subsection,  but  does  not  match  exactly. 
The  gap  between  this  lower  bound  and  the  upper  bound  depends  on  the  manager’s  step  time 
and  the  roundoffs.  Since  we  consider  these  to  be  very  small,  for  practical  purposes  one  might 
be  satisfied  with  this  simpler  lower  bound.  However,  it  is  interesting  theoretically  to  note  that 
in  this  case,  we  can  obtain  a  tight  bound  by  a  related  but  somewhat  more  difficult  argument. 

Theorem  4.7  The  worst  case  response  time  of  any  centralized  resource  allocation  algorithm 
is  at  least 


n  ■  m{C2/c\ ). 


In  order  to  see  why  this  is  so.  define  a  timed  execution  or  timed  semi-execution  to  be  slow 
if  the  times  between  successive  TICK  events  (and  the  time  of  the  first  TICK  event)  are  exactly 
c-2 .  We  have: 

Lemma  4.8  Let  a  be  a  slow  timed  execution  of  a  correct  centralized  resource  allocation  al¬ 
gorithm.  Then  the  time  between  any  two  consecutive  GRANT  events  in  a  is  strictly  greater 
than 


m(c2/ci). 

Proof:  If  this  were  not  so,  then  we  could  “retime’'  the  whole  timed  execution  by  multiplying 
the  time  at  which  each  event  occurs  by  ci/c2  (without  changing  the  ordering  of  events),  re¬ 
sulting  in  a  new  timed  execution  in  which  the  time  between  the  two  GRANT  events  is  at  most 
m.  The  time  between  clock  ticks  is  now  ci,  so  the  resulting  sequence  is  a  timed  execution. 
Then  moving  the  FINISH  event  corresponding  to  the  first  GRANT  event  to  the  point,  just 
after  the  second  GRANT  event  (to  occur  at  same  time)  yields  another  timed  execution,  this 
one  violating  mutual  exclusion.  ■ 

Proof:  (of  Theorem  4.7)  We  create  a  slow  timed  semi-execution  in  which  a  R FQUEST(O) 
event  occurs,  and  immediately  after  the  corresponding  GRANT(Q)  event  (and  at  the  same 
time)  a  sequence  of 
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REQVEST(O) . REQUESTS  -  l) 


events  occur.  Now  extend  this  timed  semi-execution  (keeping  it  slow)  until  ail  these  requests 
are  fulfilled.  By  Lemma  -1.8  the  time  between  any  two  of  these  GRANT  events  is  at  least 


m(c;/r, ). 


Let  GRANT(j)  be  the  last  GRANT.  The  time  from  REQUEST(j)  until  the  corresponding 
GRAST(j)  is  at  least 


i)  ■  )n(r.,/cx ). 


■ 


Now  we  present  the  more  delicate  arguments  needed  to  prove  a  lower  bound  that  matches 
the  upper  bound  given  in  Section  4.1.  Note  that  the  only  differences  between  the  lower  bound 
to  be  proved  and  the  one  already  proved  in  Theorem  4.7  are  the  presence  of  the  /  terms 
describing  bounds  on  the  manager’s  step  time  and  the  careful  treatment  of  roundoff.  Still,  it  is 
interesting  that  the  bound  can  be  improved  in  these  ways  to  match  the  upper  bound  exactly. 

Theorem  4.9  Assume  that  l  <  c j.2  Then  tlu  worst  case  response  time  of  any  centralized 
resource  allocation  algorithm  is  at  least 

»[c2([(m  +  l)/ci\  +  1)]  +  /. 

An  I/O  automaton  is  called  active  if  in  every  state  there  is  a  locally-controlled  action 
enabled.  (Recall,  for  example,  that  the  manager  in  the  algorithm  of  the  preceding  subsection 
was  made  active  by  the  inclusion  of  the  ELSE  action.)  Before  proceeding  with  the  proof  of 
the  theorem,  it  is  useful  to  prove  the  following  lemma,  which  claims  that  there  is  no  loss 
of  generality  in  assuming  that  the  manager  is  active.  As  in  the  previous  subsection,  denote 
by  LOCAL  the  class  of  all  the  actions  that  are  locally  controlled  by  the  manager  (including 
GRANT(i),  for  all  i). 

Lemma  4.10  Suppose  that  .1  is  a  centralized  resource  allocation  algorithm  with  response  time 
<  b.  for  a  real  number  b.  Then  there  is  another  such  algorithm  A' ,  with  response  time  <  b.  in 
which  the  manager  is  active. 

'Notice  that  a  non-strict  inequality  is  used  in  this  assumption,  whereas  a  corresponding  assumption  for 
Theorem  1.3  uses  a  strict  inequality.  This  reflects  the  difference  in  the  kinds  of  reasoning  needed  for  lower  and 
upper  bound  results. 
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Proof:  Given  .4.  we  prod  nee  A'  by  adding  a  nev  internal  action  NULL  to  the  manager. 
The  steps  associated  with  tins  action  are  exactly  those  triples  of  the  form  (s' .  NULL, s),  where 
s'  =  s  and  no  other  locally  controlled  action  of  the  manager  is  enabled  in  s'.  Clearly,  the 
manager  is  active  in  .1'.  We  claim  that  l'  solves  the  problem  and  has  response  time  <  b.  In 
order  to  see  this,  is  suffices  to  show  that  every  timed  behavior  of  A'  is  also  a  timed  behavior 
of  A. 

So  let 


a'  =  s'0.(ir[.t'l), 


be  any  timed  execution  of  A' .  Construct  o.  a  new  timed  sequence,  by  removing  all  NULL 
steps  from  a'.  Assume 


and  let  II  be  the  mapping  from  the  indices  of  events  in  a  to  the  indices  of  the  corresponding 
events  in  a',  and  set  11(0)  =  0.  Note  that,  for  i  >  1.  if  j  =  11(1),  then  s'  =  s,-,  /'  =  and 
-j  =  /r,.  We  claim  that  a  is  a  timed  execution  of  .4.  Then  it  follows  that  every  timed  behavior 
of  .4'  is  a  timed  behavior  of  4. 

All  we  have  to  show  is  that  rv  satisfies  the  boundmap  of  A.  The  only  interesting  case  is  the 
class  LOCAL,  and  since  the  lower  bound  for  this  class  is  0,  we  have  to  check  only  the  upper 
bound,  l. 

Fix  some  i  such  that  in  s,  some  locally  controlled  action  of  the  manager  is  enabled,  and 
either  i  =  0  or  no  locally  controlled  action  of  the  manager  is  enabled  in  s,_i,  or  7rt-  is  a  locally 
controlled  action  of  the  manager.  We  must  show  that  within  time  l  after  t,-  either  a  locally 
controlled  action  of  the  manager  occurs,  or  there  is  a  state  in  which  no  such  action  is  enabled. 
Let  j  =  II ( i ) .  It  must  be  that  some  locally  controlled  action  of  the  manager  is  enabled  in 
s'  ,  since  some  such  action  is  enabled  in  all  states  of  the  manager  in  A'.  We  first  show  that 
a  locally  controlled  event  7r  of  the  manager  must  occur  in  o'  within  at  most  /  time  after 
There  are  two  cases: 

Case  1:  i  =  0  or  tt,  is  a  locally  controlled  action  of  the  manager  in  A. 

If  i  =  0,  then  it  must  be  that  j  =  0.  If  7r,  is  a  locally  controlled  action  of  the  manager  in  .4, 
then  it  must  be  that  7r'  =  ~t.  In  either  case,  as  the  manager  in  .4'  is  active,  a  locally  controlled 
event  k  of  the  manager  must  occur  in  o'  within  time  at  most  /  after  /'■,  by  the  fact  that  o'  is 
a  timed  execution  of  A'  and  satisfies  the  boundmap. 

Case  2:  i  >  1  and  no  locally  controlled  action  of  the  manager  is  enabled  in  s,_i. 

Then  tt,  £  LOCAL ,  and  hence  n '  ^  LOCAL.  Let  k  be  the  largest  index  of  a  locally 
controlled  event  in  o'  that  has  an  index  <  j  (0  if  there  is  no  such  event).  The  fact  that  the 
class  LOCAL  is  always  enabled  in  o'  implies  that  within  time  /  from  i'k  a  locally  controlled 


event  of  the  manager  must  occur  in  o'.  By  the  way  k  was  selected  this  event  must  happen 
after  s'  so  the  fact  that  /'  >  t'k  implies  that  a  locally  controlled  event  7 r  of  the  manager  must 
occur  in  ex'  within  time  at  most  /  after  t' . 

In  both  cases,  if  ~  SI'LL,  then  7r.  with  the  same  time,  appears  in  a.  which  suffices.  If 
rr  =  NULL ,  then  the  definition  of  .4'  implies  that  in  the  state  just  prior  to  r  in  a',  no  non-null 
locally  controlled  action  of  the  manager  .1  is  enabled.  Then  no  locally  cont  rolled  action  of  the 
manager  is  enabled  in  the  corresponding  stale  in  o.  which  suffices.  ■ 

Xow  we  return  to  the  task  of  proving  Theorem  4.9.  The  proof  will  proceed  by  iterative 
construction  of  a  particular  slow  timed  execution.  A  major  step  in  the  construction  is  forcing 
a  GRAS T  event  to  happen  only  in  certain  situations,  as  specified  and  proved  in  the  following 
technical  lemma. 

If  i  is  an  index  with  0  <  /  <  it  —  1.  we  say  that  i  is  unfulfilled  in  a  timed  semi-execution  a  if 
the  number  of  REQUEST,  events  in  a  is  strictly  greater  than  the  number  of  GRANT,  events 
in  n.  We  say  that  a  timed  execution  or  timed  semi-execution  o  is  heavily  loaded  starting  from 
time  t  if  for  all  times  t  <  t'  <  tfn,j( o  )•  all  indices  are  unfulfilled  in  the  prefix  of  a  consisting  of 
all  the  events  occurring  up  to  and  including  time  t' .  We  say  that  an  action  is  an  ELSE  action 
if  it  is  a  locally  controlled  action  of  the  manager  other  than  a  GRANT:  ELSE  events  and  steps 
are  defined  similarilv. 

Lemma  4.11  Let  .4  be  a  c<  n  trail  zed  resource  allocation  algorithm  with  an  active  manager , 
and  let  a  be  a  stoic  timed  s<  mi-cxccution  of  A.  Assume  that  there  are  unfulfilled  indices  in 
a.  anil  LOCAL  and  TICK  events  occur  in  n  at  time  tfnj(a).  Then  there  exists  a  slow  timed 
se mi-cxccution  3  extending  a.  such  that  for  some  i.  0  <  i <  n  —  1. 

sche.d{  3)  =  schccl(aer)  (GRANT(i).  t)  (REQUEST(i).t)  (FINISH  (i)J). 

where  t  =  trn,i(e\a),  LOCAL  and  TICK  events  occur  in  c\o  at  time  t,  and  there  are  no 
REQ  TEST  or  GRANT  events  in  o. 

Notice  that  if  a  is  a  heavily  loaded  starting  from  time  t  then  3  is  also  heavily  loaded  starting 
from  time  t. 

Proof:  Assume  by  way  of  contradiction  that  there  does  not  a  exist  a  timed  semi-execution 
with  the  desired  properties.  We  will  extend  n  to  an  infinite  timed  execution  in  which  no 
GRANT  events  occur.  As  there  are  unfulfilled  indices  in  a  this  contradicts  the  eventual 
granting  property. 

I  his  is  done  by  constructing,  inductively  starting  from  j  =  0,  successive  slow  timed  semi- 
executions,  an,,  each  extending  the  previous  one.  such  that  for  every  j: 

1.  I  here  are  no  ItEQUES'T  or  GRANT  events  in  (Tj. 


2.  LOCAL  and  TICK  events  occur  in  Oj  at  time  /e,i  /(orr;  )• 

3.  If  j  >  0  then  tencl(aaj)  >  t,nd(<*0j-i )  +  c2. 

We  start  with  gq  being  the  empty  sequence.  Clearly.  1.  and  3.  hold,  and  the  assumptions  of 
the  lemma  imply  that  2.  holds.  Now.  assume  we  have  constructed  and  let  sj  be  the  system 
state  resulting  after  acrj.  There  are  two  cases: 

Case  1:  There  is  an  execution  fragment,  of  the  manager  alone,  a',  starting  from  state  sr  which 
consists  of  a  sequence  of  zero  or  more  ELSE  events  followed  by  some  GRANT(i)  event. 

Then  let  j  be  any  timed  semi-execution  that  extends  acrj  such  that 

sched{(3)  =  sched(a  Gj  a')  ( REQUF.ST(  i ),  QGj ) )  ( FINISH (i),tend(GGj)), 

where  the  events  of  a'  are  all  timed  to  occur  exactly  at  time  tenj(aG:).  Then  J  has  the 
properties  required  by  the  lemma:  it  ends  with  GRANT(i).  REQVEST(i)  and  FINISII(i) 
events,  LOCAL  and  TICK  events  occur  in  i  at  time  =  Qnd(P)^  and  there  are  no 

REQUEST  or  GRANT  events  in  the  prefix  of  GjG1  preceding  the  final  GRANT(i)  event.  This 
is  a  contradiction  to  the  assumed  nonexistence  of  such  a  timed  semi-execution. 

Case  2:  There  is  no  such  execution  fragment. 

In  this  case,  we  can  extend  oOj  by  allowing  ELSE  events  to  occur,  at  arbitrary  allowable 
times,  ending  with  an  ELSE  event  and  a  TICK  event,  (occurfng  in  that  order)  at  time 
tendiaPj)  +  c2 .  This  is  possible  since  the  algorithm  is  active.  Let  acrJ+\  be  an  execution 
extending  ggj  such  that 

sched(aaj+i )  =  sched(aGj8)  (it  ,itnd(a(*j)  +  c2)  (TICK  ,tend(a<Jj)  +  c2)  • 

where  all  events  (if  any)  of  8  are  ELSE  events,  and  x  is  an  ELSE  event. 

From  the  way  gj+\  was  constructed,  it  follows  that  cur)+i  is  slow,  and  that  it  has  the 
following  properties: 

1.  There  are  no  REQUEST  or  GRANT  events  in  gj+1. 

2.  LOCAL  and  TICK  events  occur  in  <rJ+1  at  time  f.„r/( 0(7 J+ , ). 

3.  ttn  d(a&]  + 1  )  >  t  en  d(0Gj)  +  C  2  • 

This  completes  the  construction  of  the  timed  semi-executions  aOj .  0  <  j  <  oo. 

Now  Lemma  2.2  implies  that  there  exists  an  infinite  timed  execution  aa  extending  all 
the  aGj.  Since  there  are  no  GRANT  events  in  a  and  there  are  unfulfilled  indices  in  n.  this 
contradicts  the  eventual  grantinej  property.  ■ 


Now  wo  aro  ready  to  present  tho  main  prool. 


Proof,  (of  Theorem  -1.!))  As-ume  that  wo  have  a  particular  centralized  resource  allocation 
algorithm.  By  I. omnia  1.10.  we  may  assume  without  loss  of  generality  that  the  manager  is 
active.  Wo  explicitly  construct  a  (slow)  timed  execution  in  which  the  response  time  for  a 
particular  grant  is  at  least 

i>  (  [_( in  t  I  )/<•]  J  -t-  1 )  r-,  +  /. 

Wo  first  construct  an  initial  section,  Bu.  Wo  begin  by  allowing  some  LOCAL  events  to 
occur  (at  arbitrary  allowable  times),  ending  with  both  a  LOCAL  event  and  a  TICK  event 
occurring  at  exactly  time  c>.  in  that  order.  Notice  'hat  by  the  grunt  u'cll-formt’.dnf'ss  property 
these  LOCAL  events  must  be  ELSE  events.  We  let 

REQ !  1ST-  0).  REQKEST(  1 ) . REQEES  I  '(  n  -  1 ) 

events  happen  immediately  after  these  ELSE  and  LICK  events,  also  at  time  eg.  Formally, 
let  .in  be  a  timed  somi-oxecut ion  that  extends  another  timed  semi-execution  Is  containing  only 
ELSE,  event s.  such  t hat 

schedi  in )  =  srhfdit1)  (  ~.r>)  {  IlCh.r,)  (REQ  I  ES  l  (0).  r> )  . . .  (  R  F.QK  EST(ii  —  1 ) .  <"2 ) 

where  -  is  an  ELSE  event.  Note  that  0 . it-  !  are  unfulfilled  indices  in  Bo.  anu  that  LOCAL 

and  LICK  events  occur  in  ,i„  at  time  r,  =  trr,  /(  Bo):  furthermore,  note  that  Bo  is  heavily  loaded 
starting  from  time  t()  =  /,,,,/( B„;  =  <  >. 

Starting  frem  4>.  we  construct  successive  proper  extensions  Bi . 4. . such  that  for 

each  k  >  1. 3k  is  a  slow  timed  semi-execution  of  the  form  3k -ilk  that  ends  at  time  tk  =  trn^(3k). 
that  is  heavily  loaded  starting  from  time  t0.  and  that  has  the  following  properties: 

1.  3k  ends  with  GRAST(jk),  R-  '.QKES  l'(  jk  )  and  El  CIS  II  (jk )  events,  occurring  in  that 

order  at  ' ime  tk ■ 

2.  There  are  no  otlmr  R EQE EST  or  GRAS  I  events  in  ■ )k ■ 

■5.  A  LOCAL  event  (other  than  the  CRASH  jk))  and  a  TICK  event  occur  in  3k  at  time 

I  he  construction  is  done  inductively:  the  base  case  is  the  construction  of  3\  .  Since  Bo  has 
a  LOCAL  and  a  LICK  event  at  time  B).  and  there  tire  unfulfilled  indices  in  B0.  we  can 
apply  I.entna  l.i  1  to  get  an  execution  3t  with  the  properties  above. 

for  the  inductive  step,  assume  we  htive  constructed  a  slow  timed  semi-execution  Jk- 1.  for 
k  >  I.  with  the  above1  properties:  we  show  how  to  construct  3k-  Since  is  heavily  loaded 

starting  tit  time1  <ui <1  LOCAL  tirid  TICK  events  occur  in  .4_i  at  time  /*_ j,  we  can  applv 
Lemma  1.1  1  to  and  get  a  slow  timed  semi-execution  3k  that  extends  3k- 1  such  that 

>> 
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Figure  3:  The  timed  execution  3k- 

sched(f3k)  =  sched(3k^iOk)  ( GRANT{jk),tk )  ( REQUEST(jk),tk )  ( FINISH(jk),tk ), 

where  =  tend(dk-\°k),  LOCAL  and  TICK  events  occur  in  3k-i°k  at  time  tk,  and  there  are 
no  REQUEST  or  GRANT  events  in  ok-  Let  -)k  be  such  that 

3k  =  @k-iTk  ■ 

Clearly,  3k  has  the  required  properties. 

The  timed  execution  3k  is  depicted  in  Figure  3. 


Claim  4.12  For  any  k  >  1,  there  are  at  least 
|_(m  +  /)/ciJ  +  1 
ticks  in  segment  7*  of  3k- 

Proof:  Suppose  this  is  not  the  case,  for  some  fixed  k.  Then  we  modify  3k  to  get  a  new  timed 
semi-execution  3'k,  in  which  the  mutual  exclusion  property  is  violated. 

First,  we  do  some  retiming  without  changing  the  order  of  any  of  the  events.  Segment  7*  of 
3k  is  “shrunk”  in  3'k  so  that  all  ticks  contained  within  segment  7*  take  time  exact  y  Ci  ,ra  e 


23 


ill. iii  i'j  n>  in  K  i.  Mmi-ovcr.  !  In'  (i7M.VT(j(..  ,  |.  Rl'.Ql'I.S'l(jk_i)  and  the  FlSlSH(jk-i) 
I'v.'iii'  occurring  .n  lime  /,  |  ;nv  1  i mod  to  occur  at  time  //,-_)  +  /:  some  /  /..S'/-,  steps  after 

/- 1.\  IS  II  I  y.._  ;  i  and  before  tin-  next  /  l(  'l\  may  need  also  to  have  their  times  increased  slight  !v 
lo  maim. nn  inonotonicit y.  By  the  tact  that  /  <  ly.  and  the  fart  that  there  is  a  LOCAL  event 
preceding  ( ,RAS  /  t  j..  .  i  n  with  the  same  time  assignment,  it  follows  that  the  resulting  sequence 
i-  a  t  i lin'd  .'Xecat  ion. 

\\  e  now  obi  ai  n  >'  i>\  moving  /-  / ,\  IS  1 1  i.jk-  i  )  Irom  time  i  -f  /  to  time  /*..  after  GHA  X T(  ji; ). 
We  show  that  is  a  timed  semi-execution,  by  showing  that  moving  the  FI  SIS  II  event  to  a 
later  time  does  not  violate  the  hi  upper  bound  on  the  time  between  GRAST(jk-\)  and  the 
corresponding  /-7.V/.s//i ,  l.  H v  the  assumption,  there  are  at  most  [(m-f  / )/<™i j  ticks  in 
section  As  ( IRAS  /  \  i  occurs  at  time  /;._1  +  /,  while  FISISII(jk-i )  occurs  at  time  //,. . 

the  total  time  betwi'en  these  two  events  is  at  most 

(  C]  —  / 1  4-  ('j  i  .  ( in  A  /)/  cj  ;  -  1 )  <  in  . 

So  we  have  obtained  a  timed  semi-execution  in  which  the  mutual  exclusion  property  is  violated. 
By  Lemma  2.d.  A[.  can  be  extended  to  a  timed  execution:  this  contradicts  the  correctness  of 
the  algorithm,  thus  proving  the  Claim.  ■ 

l  lie  claim  implies  t  hat 

/fc+l  -  If  >  Cjl  _ (  III  r  /  |/C|  j  +  1  )  . 

for  any  k  >  \  .  becuase  L  .  i  is  slow. 

We  continue  the  proof  oi  I  lieorem  1.0.  Since  for  every  /.'  >  1.  .jf.  is  heavily  loaded  starting 
from  time  and  the  algorithm  satisfies  the  <  i-t  utual  granlini/  property,  there  exists  k1  such 
that  lor  every  i.  C)  </<//—  1  at  least  one  (!I{AXT{i)  event  appears  in  3^  at  or  after  time  t{. 

By  the  same  reasoning,  there  exists  k"  >  kJ  such  that  for  every  /.  0  <  /  <  n  —  1  at  least  one 

G IiAS  I  \>)  event  appears  in  3k>,  afier  time  /fc».  It  follows  that,  there  is  some  i.  0  <  /  <  n  —  1 
lor  which  there  are  two  consecutive  GRAXT(i)  events  in  3k»  having  at  least,  n  —  1  intervening 
CiRAS  I  (j)  events  for  j  ^  i.  Suppose  that  the  first  of  these  G  RAXT(i)  events  occurs  at  time 
C, .  and  t  lie  second  at  time  /  k , ;  it  must  be  that  /,•  >  —  k\  >  ii  .  Note  t  hat  the  REQUEST(  i)  event 
corresponding  to  the  second  of  these  GRA  S"L[i)  events  occurs  at  time  tkl .  By  the  remark 
after  Claim  1.12  the  total  amount  of  time  from  time  tkl  in  3k,-  when  REQUEST(i)  occurs, 
until  the  corresponding  (IRA  XT(  i)  occurs,  at  time  tkl  is  at  least, 

n  : f  2  1  \J  III  ~t  /  )/  c  |  j  r  1  )J  . 

W’e  now  coii-truct  from  a  timed  semi-execution  6  in  which  the  (IRA  XT{jkl  )  event 
occurs  at  time  —  /.  retiming  later  events  as  necessary  to  maintain  monotonicitv.  The  timed 
-.eipience  r'  is  a  timed  sem i -exec u t ion  since  I  <  e,.  and  since  there  is  a  LOCAL  event  preceding 
(iRAS  l(j,./i  at  time  in  L, .  It  billows  that  the  total  amount  of  time  from  time  tk  in  f>. 
when  RI.(}1  /-..S'  /  i  / 1  occurs,  until  the  corresponding  GRAXT(i)  occurs  at  time  I  -f  / .  is  at 
least 


«  \('2  ( [{m  +  l)/c ij  +  1)]  +  /  . 


Since  f  can  be  extended  to  a  timed  execution  (By  Lemma  2.3)  the  Theorem  follows.  ■ 


We  note  that  Theorem  4.7  seems  quite  robust  in  that  it  can  be  extended  to  any  reasonable 
model,  including  those  in  which  the  manager  takes  steps  only  in  response  to  inputs.  However, 
the  better  lower  bound  in  Theorem  4.9  depends  more  heavily  on  the  features  of  the  timed 
automaton  model.  Note  that  the  limiting  case  of  the  lower  bound  in  Theorem  4.9  is 

+  i]q  • 

which  is  slightly  better  than  the  lower  bound  given  by  Theorem  4.7. 

5  A  Distributed  System 


Now  we  consider  the  case  where  the  computer  system  is  distributed.  We  assume  that  the  events 
concerning  the  different  moving  parts  occur  at  separate  manager  processes  0  <  i  <  n  -  1. 
which  communicate  over  unidirectional  channels.  More  precisely,  for  each  ordered  pair 
i  j,  we  assume  that  there  is  a  channel  automaton  channel(i,j)  representing  a  channel  from  p, 
to  pj,  having  SEND  events  as  inputs  and  RECEIVE  events  as  outputs.  The  channel  operates 
as  a  FIFO  queue;  when  the  queue  is  nonempty,  the  channel  is  always  enabled  to  deliver  the  first 
item.  All  RECEIVE  actions  are  in  the  same  partition  class,  with  associated  bounds  [0, d}\  this 
means  that  the  channel  will  deliver  the  first  item  on  the  queue  within  time  d.  Also,  we  assume 
that  there  is  a  separate  clock.  clock{i).  for  each  process  p,.  It  is  similar  to  the  centralized 
clock  described  earlier,  with  output  action  TICK(i)  that  is  an  input  to  and  with  associated 
bounds  [cj ,  c%\.  See  Figure  4. 

If  the  clocks  are  perfectly  accurate,  i.e.,  ci  =  c-i,  then  since  all  processes  start  at  the  same 
time,  there  is  a  very  simple  algorithm  that  assigns  to  each  process  a  pei iodic  predetermined 
“time  slice"  and  whose  worst  case  response  time  is  n  ■  m  (plus  some  terms  involving  and  C2 
and  l).  This  is  optimal.3  So,  for  our  lower  bound  we  will  assume  that  C\  <  C2- 

3In  fact,  even  if  we  deviate  from  the  model  by  allowing  accurate  clocks  with  non-synchronized  starts,  there  is 
an  algorithm  which  selects  synchronization  points  so  that  its  worst  case  response  time  is  at  most  n  ■  (m  +  [d/2)) 
(plus  some  terms  involving  and  a  and  /).  A  corresponding  lower  bound  can  also  be  proved.  A  formal 
treatment  of  these  results  requires  several  changes  to  our  model,  and  we  prefer  not  to  present  it  here.  The  clock 
synchronization  algorithm  of  [LL84]  yields  synchronization  points  that  can  be  used  by  a  distributed  allocation 
algorithm  whose  response  time  is  at  most  n  ■?>»  +  (»  —  1  )tl.  Since  the  lower  bound  of  [LI  84]  implies  that  this 
clock  synchronization  algorithm  is  optimal,  it  does  not  appear  that  a  naive  use  of  clock  synchronization  produces 
optimal  resource  allocation  algorithms. 
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Figure  4:  The  architecture  of  the  distributed  control  system. 

5.1  The  Upper  Bound 

5.1.1  The  Algorithm 

The  following  algorithm  implements  a  round-robin  granting  policy:  The  processes  issue  grants 
when  they  are  in  possession  of  a  token  that  circulates  on  a  ring. 

Assume  processes  are  numbered  0 _ _  n  -  1  in  clockwise  order,  and  interpret  i  4- 1  to  be  i  + 

1  mod  n.  Each  process  p,  has  input  actions  REQUEST(i),  TICK(i)  and  RECEIVE-TOKEN(i), 
output  actions  GRANT(i)  and  SEND-TOKEN(i),  and  internal  action  ELSE(i).  The  state  of 
process  i  is  divided  into  components: 

REQUESTED  holding  a  Boolean  value,  initially  false ; 

TIMER  holding  an  integer,  initially  0; 

TICKED  holding  a  Boolean  value,  initially  true; 

TOKEN  holding  a  value  in  {not. here,  available,  used} , 

initially  used  for  po,  not.here  for  the  other  processes. 

Process  p,  executes  the  following  algorithm: 

REQUEST(i) 

Effect: 

REQUESTED  :=  true 

TICK(i) 

Effect: 

TIMER  :=  TIMER  -1 
TICKED  :  =  true 
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GRANT(i) 

Precondition: 

REQUESTED  =  trui 
TOKEN  =  available 
TICKED  =  true 

Effect: 

REQUESTED  :=  false 
TOKEN  :=  used 
TIMER  :=  L(m  +  O/ciJ  +  J 
TICKED  :=  false 

SEND-  TOKEN{  i )  /*  to  process  p!+1  * / 

Precondition: 

TOKEN  =  used 
TIMER  <  0 

Effect: 

TOKEN  :=  notjiere 
TICKED  :=  false 

ELSE(i) 

Precondition: 

neither  GRANT(i)  nor  SEND-TOKEN(i)  is  enabled 

Effect: 

TICKED  :=  false 

RECEIVE-  TOKEN(i ) 

Effect: 

if  REQUESTED  then  TOKEN  :=  available  else  TOKEN  :=  used 


5.1.2  Correctness  Proof 

Now  let  B  be  the  composition  of  all  the  given  timed  automata:  operators,  moving  parts, 
processes,  channels  and  clocks.  This  subsection  is  devoted  to  proving  the  following  theorem. 

Theorem  5.1  Algorithm  B  is  a  correct  distributed  resource  allocation  algorithm. 

As  in  the  proof  of  the  centralized  algorithm,  we  construct  the  I/O  automaton  time(B). 
This  time,  the  new  state  components  are  Clime ,  plus,  for  each  i,  Ftimc  and  Ltime  for  the 
following  partition  classes: 
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1.  REQUEST(i),  which  contains  the  single  action  REQUEST(i), 

2.  FINlSII(i),  which  contains  the  single  action  FINISH(i), 

3.  TICl\(i ).  which  contains  the  single  action  TICK(i).  and 

4.  LOCAL(i).  the  class  of  locally  controlled  actions  of  process  i.  which  contains  all  the 
actions  GRANT(i).  SF.ND-TOKEN(i)  and  ELSE(i). 

Initially,  we  have  Ftime(REQVEST(i))  —  0,  Lti  me(  REQUEST(i))  =  oo,  E  time(FINISH(i))  = 

0  and  Ltime(FINISH(i))  =  oo,  Ftime(TICK[i))  =  Cj,  Ltime(TlCK(i ))  =  C2,  Ftime{LOCAL(i)) 
0  and  Ltime(LOCAL(i))  =  /. 

Let  fj^toke  ns(  i)  be  the  length  of  the  queue  in  channel(i ,  i+ 1).  We  first  prove  a  lemma  giving 
an  invariant  for  time(B):  this  invariant  happens  not  to  involve  any  of  the  state  components 
that  encode  time  information.  The  proof  appears  in  Appendix  A. 2. 

Lemma  5.2  Let  s  bt  a  reachable  state  of  tiine(B).  Then  the  total  number  of  processes  at 
which  TOKEN  ^  not. here  plus  the  sum  of  #tokens(i),  over  0  <  i  <  n,  is  exactly  1. 

We  now  prove  another  invariant,  this  one  involving  the  timing  information.  The  result  is 
similar  to  Lemma  4.2.  The  proof  is  in  Appendix  A. 3. 

Lemma  5.3  Let  s  be  a  reachable  state  of  time.(B),  and  let  0  <  i  <  n  —  1.  Then  the  following 
all  hold: 

1.  If  FINISH (i)  is  enabled  in  s.Astate,  then 

(a)  s.TLMER(i)  >  0. 

(b)  s.Ftime[TICK(i))  +  (s.TIMER(i)  -  1  )cj  >  s.Ltime(FINISH(i)),  and 

(c)  s.TOKEN(i)  —  used. 

2.  If  s.TICKED(i)  =  true  then  s.Ftime(TIC  K(i))  >  s.Ltime(LOCAL(i ))  -f  Cj  —  /. 

The  following  corollary  implies  that  mutual  exclusion  is  maintained  by  the  algorithm. 

Corollary  5.4  In  any  reachable  state  s  of  LI.  if  FINISII[i)  is  enabled,  for  some  i .  then 
FINISH (j)  is  not  enabled  for  all  j  ^  i. 

Proof:  Assume  to  the  contrary  that  FINISH  (j)  is  enabled  in  s,  for  j  ^  Since  FINISH(i) 
and  FINISH (j)  are  both  enabled  in  .s.  invariant  k  (proved  in  Lemma  5.3)  implies  that 


s.TOKE.X(t)  =  .s.TOKFN'(j)  =  used  . 


But  this  implies  that  the  number  of  processes  for  which  TOKEN  ^  notJiere  is  at  least  two, 
contradicting  Lemma  5.2.  Therefore,  this  case  cannot  occur.  ■ 

Proof:  (of  Theorem  5.1)  Corollary  5.4  implies  mutual  exclusion.  Moving  part  well-formedness 
follows  from  the  same  corollary  and  the  definition  of  the  moving  part.  Request  well-formedness 
follows  from  the  definitions  of  the  operators  and  the  processes.  Eventual  granting  can  be  ar¬ 
gued  from  the  round-robin  behavior  of  the  processes;  it  also  follows  from  the  upper  bound  on 
response  time  proved  formally  in  the  following  subsection.  ■ 

5.2  Response  Time 

Now  we  prove  the  upper  bound  on  response  time  for  the  given  distributed  algorithm  B. 

Theorem  5.5  The  worst  cast  response  time  for  algorithm  B  is  at  most 
rr [c2 ( |_(m  -r  l)/ cqj  +  1 )  +  d  +  cj  +  2/]. 

We  use  the  following  lemmas. 

Lemma  5.6  In  any  reachable  state  s,  and  frrr  any  i, 
s.TIMER(i)  <  [(m  +  /)/ciJ  +  1. 

Proof:  By  an  easy  induction.  ■ 

Lemma  5.7  Let  s  be  any  state  occurring  in  a  timed  execution,  in  which  s.TIMER(i)  <  k,  for 
k  >  1.  Then  (at  least)  one  of  the  following  two  conditions  holds. 

1.  s.TIMER(i)  <  0  and  s.TICKED(i)  —  true,  or 

2.  the  time  from  the  given  occurrence  of  s  until  a  later  TICI\(  i )  event  resulting  in  TIMER(i)  < 
0  is  hounded  above  by  C2  •  k- 

Proof:  As  for  Lemma  4.6.  ■ 

Say  that  process  pt  is  ope  rative  in  state  *  if  .s.TOKEN(i)  =  used.  By  Lemma  5.2  at  any 
time  there  is  at  most  one  operative  process. 

Lemma  5.8  If  process  p,  is  operative,  then  the  time  until  process  p,+j  becomes  operative  is  at 
most 
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^(L('»  +  /)MJ  +  I)  +  d  +  c2  +  21  . 

Proof:  By  Lemmas  5.6  and  5.7,  either  TIMER(t)  <  0  and  TICKED(i)  =  true ,  or  else  within 
time 


cz  ( [(  m  +  l)/c ij  +  1)  . 

a  TICK(i)  event  occurs  setting  TlMER(t)  <  0:  in  either  case.  SEND-TOKEN(i)  will  be 
enabled  within  time 

cj  ( [( in  +  /)/ci  J  +  1 )  . 

Within  time  l  after  that.  SES D-T01\EN(i)  will  occur  and  RECElVE-TOKEN{i  +  1)  will  be 
enabled  (since  it  is  the  only  message  in  the  channel),  and  within  an  additional  time  d,  it  will 
be  executed.  If  there  is  a  pending  request  at  process  p,+\  when  this  RECEIVE-TOKEN(i  +  1) 
occurs,  i.e..  if  REQUESTED! /+ 1 )  =  true  at  this  point,  then  this  RECEIVE- TO KEN(i+l)  will 
set  TOKEN(/+l)  =  available.  Then  within  timec2,  GRANT(i+l)  will  be  enabled  and  within 
time  /  it  will  be  executed,  causing  process  pl+l  to  become  operative.  On  the  other  hand,  if  there 
is  no  pending  request,  i.e.,  REQUESTED(t  +  1)  =  false ,  then  the  RECEIVE-TOKEN(i  +  1 ) 
will  set  TOKEN(<  +  1)  =  used  and  thereby  cause  process  p,+J  to  become  operative.  ■ 

Define  the  distance  from  process  p,  to  process  p3  to  be  the  distance  between  them  along 
the  ring  (in  the  clockwise  direction);  if  i  =  j  we  define  the  distance  to  be  n. 

Proof:  (of  Theorem  5.5)  >  Tmsider  the  point  in  the  timed  execution  at  which  a  request  arrives, 
say  at  process  pj.  We  consider  cases  (one  of  which  must  hold,  by  Lemma  5.2). 

1.  There  is  some  operative  proceso  /;,,  when  the  request  arrives  (where  it  is  possible  that 
i  =  j).  Then  the  distance  from  p,  to  pj  is  at  most  n.  Applying  Lemma  5.8  repeatedly 
(at  most  n  times)  yields  the  claimed  bound. 

2.  The  value  of  TOKEN(f)  =  available  for  some  i.  If  i  —  j ,  then  the  request  will  be 
granted  within  time  c2  +  /.  If  i  ^  j.  then  within  time  c2  +  /,  process  p,  becomes  operative. 
Applying  Lemma  5.8  repeatedly  (at  most  n  —  1  times)  yields  the  claimed  bound. 

:b  There  is  a  message  in  one  of  the  channels,  say  channel(i  —  L ,  / ) .  If  i  =  j,  then  the  request 
will  be  granted  within  time  d  +  r2  +  l.  If  i  /  j.  then  within  time  d  +  c2  +  /,  process 
Pi  becomes  operative.  Applying  Lemma  5.8  repeatedly  (at  most  n  —  1  times)  yields  the 
claimed  bound. 


Again,  we  note  that  the  limiting  case  of  the  upper  bound  as  /  approaches  0.  is 
u  [c„  ( [m/nj  +  1 )  +  d  +  c2)  . 
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5.3  Lower  Bound 


Now  we  prove  our  lower  bound  on  worst  case  response  time  for  arbitrary  distributed  resource 
allocation  algorithms.  This  proof  is  similar  to  that  of  the  simple  lower  bound  for  centralized 
algorithms  (Theorem  4.7)  rather  than  the  more  complicated  tight  bound  (Theorem  4.9)  in  that 
we  do  not  concern  ourselves  with  process  step  time  or  with  roundoffs.  As  a  result,  this  proof 
seems  sufficiently  robust  to  extend  to  other  reasonable  models  for  timing-based  computation. 

Note  that  the  gap  between  our  upper  and  lower  bounds  for  the  distributed  case  does  not 
only  involve  process  step  times  and  roundoffs,  but  also  involves  additive  terms  of  d  and  of  n  -ci- 

In  order  to  prove  this  lower  bound  we  must  make  the  assumption  that  the  moving  time  is 
much  larger  than  the  message  delivery  time,  more  precisely,  that  [n  —  1)  •  d  <  m(c2/ci ). 

Theorem  5.9  Assume  that  c i  <  C2  and  that  (n  —  1)  •  d  <  ni  ■  (C2/C1).  Then  the  worst  case 
response  time  of  any  distributed  resource  allocation  algorithm  is  at  least 

n  •  c2( m/c  1 )  +  (n  -  1)  •  d  . 

The  lower  bound  is  proved  under  the  assumption  that  every  message  is  delivered  within 
time  d.  This  is  a  stronger  assumption  than  the  one  used  for  the  upper  bound;  there,  we 
only  insist  that  this  upper  bound  hold  for  the  first  message  on  any  link.  Since  the  present 
assumption  is  stronger,  it  only  serves  to  strengthen  the  lower  bound. 

In  the  proof  we  first  show  that  the  round-robin  granting  policy  used  by  the  algorithm  of 
Section  5.L  is  optimal  in  the  following  sense:  for  any  “efficient”  algorithm,  in  any  execution 
in  which  requests  arrive  continuously,  the  order  in  which  requests  are  first  granted  must  be 
repeated  in  a  round-robin  fashion. 

Once  such  an  order  has  been  established,  we  extend  the  execution  while  fixing  a  particular 
pattern  of  message  delays.  After  doing  this  for  a  sufficiently  long  time,  we  retime  parts  of  the 
execution  by  carefully  “shifting”  certain  events,  while  appropriately  retiming  other  events,  to 
get  the  desired  time  bound. 

Recall  the  definition  of  a  heavily  loaded  timed  execution  or  timed  semi-execution  from 
Section  4.2.  In  a  manner  similar  to  the  centralized  case,  we  define  a  timed  execution  or  timed 
semi-execution  to  be  slow  if,  for  each  t,  the  times  between  successive  TICK(i)  events  (and  the 
time  of  the  first  TIC'K(  i)  event)  are  exactly  c2.  The  following  lemma  is  the  distributed  version 
of  Lemma  4.8. 

Lemma  5.10  Let  a  he  a  slow  timed  execution  of  a  correct  distributed  resource  allocation  al¬ 
gorithm.  Then  the  time  between  any  two  consecutive  GRANT  events  in  n  is  strictly  greater 
than 


c2(  m/c  1 )  . 
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The  next  lemma  shows  « hat  if  an  execution  is  heavily  loaded,  the  best  policy  (for  a  “ef¬ 
ficient"  algorithm)  is  to  grant  the  resource  in  a  round  robin  manner,  because  changing  the 
granting  order  will  cause  the  response  time  to  exceed  a  bound  higher  than  the  one  we  are 
attempting  to  prove  as  a  lower  bound. 

Lemma  5.11  Let  B  be  a  distributed  resourci  allocation  algorithm  with  response  time  at  most 
( n  4-  1)  •  co\m/c i).  Let  n  hi  a  slow  timed  execution  of  B  that  is  heavily  loaded  starting  from 
time  I.  Then  then  exists  some  permutation,  p.  of  {0, ...  ,n  —  1}  such  that  the  subsequence  of 
all  CRANE  events  that  occur  in  e\  after  time  t  is  of  the  form 

GRAST(po) . GRA.XTlpn-t).  GRANT(p0) . GRANT(Pn_1) . 

Proof:  Suppose  by  way  of  contradiction  that  there  is  no  such  permutation  p.  Then  there  is 
some  index,  i.  for  which  two  GRANT(i)  “vents  and  occur  (at  times  t\  and  1 2  respectively) 
after  time  /.  where  there  are  at  least  n  GRANT(j)  events,  j  ^  i.  intervening  between  and 

T9 . 

By  Lemma  5.10,  the  time  between  any  two  consecutive  GRANT  events  from  among  this 
set  of  n  4-  1  GRANT  events  is  strictly  greater  than  cAm/cx).  Therefore,  the  time  between  rrj 
and  7T2  is  strictly  greater  than 


(n  +  1)  -c>(m/c  1). 


Since  a  is  heavily  loaded,  a  REQUEST(i)  event  must  follow  7T]  and  occur  at  time  t\.  Since 
that  REQVEST(i)  is  fulfilled  by  7r 2  at  time  / 2,  the  response  time  for  that  REQUEST(i)  is 
strictly  greater  than  (n  +  1 )  •  c>(  m/c\ ),  which  contradicts  the  assumed  bound  on  the  response 
time  of  the  algorithm.  ■ 

Proof:  (of  Theorem  5.9)  Assume  by  way  of  contradiction  that  there  is  some  algorithm  that 
always  responds  within  time 

n  ■  <  2{  m/e  1 )  +  (  ?)  -  1  )d  . 

By  assumption 

(  »  ~  1  )d  <  TlReJCy  )  , 

which  implies  that 

n  ■  c2(  m/ci )  +  In  -  1  )  <  ( n  +  1 )  •  r2(  m/c\ )  . 

Thus,  the  response  time  for  the  algorithm  is  at  most 


:J: 2 


(»  +  !)•  c2{m/ci) 


We  will  construct  a  slow  timed  execution  of  the  algorithm  that  either  exceeds  the  claimed 
bound  on  response  time  or  violates  the  mutual  exclusion  property.  We  begin  by  considering 
a  slow  timed  execution  a'  that  is  heavily  loaded  starting  from  some  time  t.  and  letting  o  be 
the  shortest  prefix  of  this  timed  execution  that  ends  just  after  exactly  n  GRANT  events  have 
occurred  after  time  t.  Lemma  5.11  implies  that  there  is  some  permutation  p ,  such  that  all 
GRANT  events  that  appear  in  o'  after  time  t  occur  in  the  order  po,  ■  ■  ■  ,/>n-i,Po,  •  •  •  In  fact. 
Lemma  5.11  implies  that  GRANT  events  that  occur  after  time  t  in  any  timed  semi-execution 

that  extends  a  and  is  heavily  loaded  starting  from  time  /.  appear  in  the  order  po . pn- 1- 

We  sometimes  abuse  notation  and  write  pPl  <  pPj  when  /'  <  j,  that  is  pPt  precedes  pPj  in  the 
the  order  established  by  p. 

We  now  consider  the  “ring”  of  processes  formed  by  the  round-robin  order  defined  above. 
We  extend  the  execution  in  such  a  way  that  messages  are  delivered  with  maximum  delay  when 
sent  from  lower  numbered  processes  to  higher  numbered  processes  (in  the  order  established  by 
p).  while  messages  going  the  other  way  are  delivered  immediately.  Intuitively,  this  enables  us 
to  “postpone”  notification  of  the  granting  as  long  as  possible. 

More  formally,  we  extend  o  to  get  a  slow  timed  execution  a/31  which  is  heavily  loaded 
starting  from  time  t  and  such  that  the  message  delivery  times  for  messages  sent  in  /3'  are  as 
follows: 

•  If  f  <  j,  then  a  message  from  pPi  to  pPj  takes  exactly  time  d. 

•  If  i  >  j,  then  a  message  from  pPi  to  pPj  takes  exactly  time  0. 

Let  a/3  be  a  “sufficiently  long”  prefix  of  a(3' .  specifically,  one  for  which 


£l  ^  Gndi^P)  ^end(^) 

C2  ~  t  en  dia/S)  tendi®) 

This  can  be  easily  done  since,  by  assumption,  c\/c2  <  I.  Let  rq  =  tend(a)  and  r2  =  tend(a/3)- 

Let  7  be  such  that  a/?y  =  a/3'.  We  know  that  7  contains  a  subsequence  of  n  -f  1  consecutive 
GRANT  events,  in  order 


GRANT ( p0 ) ,  GRA  NT(  p  1 ) . G IRA  N  T(  pn- 1 ),  GRA  NT(  p0 )  • 

Now  divide  7  into  n  +  2  segments,  70, _ 7,,-h-  where 

1.  70  ends  with  the  first  of  these  GR ANT(po)  events. 

2.  for  each  i.  1  <  i  <  n  —  1.  7,  starts  just  after  GR.ANT(p,_\ )  and  ends  with  GRANT(p,)- 


3.1 


3.  in  starts  just  after  GR A.VT(/J,t-i )  and  ends  with  the  second  GRANT(po),  and 

4.  'yn+i  includes  the  rest  of  7 . 

For  each  i.O  <  i  <  n  +  1,  let  t,  =  0  . .  -  "h  )•  For  any  L  <  i  <  n,  define  the  length  of  any 

segment  ~,t,  to  be  =  /,_ j.  Intuitively,  f,  is  the  amount  of  time  that  passes  during  7;. 

Figure  5  depicts  the  timed  execution  0  J7.  Each  horizontal  line  represents  events  happening 
at  one  process,  the  arrows  show  delay  times  between  pairs  of  processes  (after  time  r0),  while 
dashed  vertical  lines  mark  time  points  that  are  used  in  the  proof. 

We  now  prove  a  key  lemma  that  provides  a  lower  bound  for  the  length  of  each  segment 

'll . In-  1- 

Lemma  5.12  For  any  i,  1  <  i  <  n  -  1, 

(,  >  c2(  m/c  1 )  +  cl. 

Proof:  Assume  by  way  of  contradiction  that 
( i  <  c2(m/cx )  +  d 

for  some  particular  i,  1  <  i  <  n  —  1. 

From  at3‘/  we  construct  a  new  timed  execution,  o7>,  in  which  the  mutual  exclusion  property 
is  violated.  We  first  construct  an  intermediate  timed  execution  a  S'  in  which  we  “shift”  back 
in  time  the  events  occurring  at  processes  pPi _ in  the  following  way: 

1.  Each  event  occurring  at  any  of  the  processes  pP0, . . .  ,pPt_1  that  occurs  in  /J7  at  time  u, 
also  occurs  in  S'  at  time  u. 

2.  Each  event  occurring  at  any  of  the  processes  pPt,. . .  ,pPn_,  that  occurs  in  /3-y  at  time  ?i, 
occurs  in  S'  at  time  u'  where: 

(a)  If  u  >  r2  then  u'  =  u  —  d. 

(b)  If  rj  <  u  <  r2  then 

,  r2  -  t  1  -d 

u  =  r,  + -  ■  (  «  -  77  ). 

G  ~  r  1 

I  e  — ri  =  r^~ri 
11-ri 

That  is,  the  events  occurring  at  processes  >  pl>i  at  times  >  r2  are  moved  d  earlier;  notice  that 
events  occurring  in  o  (at  times  <  77)  are  not  moved.  All  the  intermediate  events  are  shifted 
back  proportionally. 

The  resulting  sequences  of  timed  events  must  be  merged  into  a  single  sequence  consistently 
with  the  order  of  the  times:  events  occurring  at  different  processes  at  the  same  time  can  be 
merged  in  arbitrary  order,  except  that  a  SEND  event  that  corresponds  to  a  RECEIVE  event 
in  nl)~f  must  precede  it  in  ah' . 


a  0 


Figure  5:  The  timed  execution  <*$7. 


35 


Claim  5.13  nC  a  hnud  t  strut  inn  <>f  llu  si/sh  111, 


Proof:  Tht’  key  tiling  that  need  to  be  shown  are: 

•  No  message  is  received  hefoie  it  is  sent. 

•  No  message  takes  more  than  time  d  to  be  delivered. 

•  No  clock  tick  takes  time  less  than  c;. 

For  the  first  two  conditions,  notice  that  in  J7  we  have  that  messages  take  time: 

•  d  from  all  processes  <  to  all  processes  >  and 

•  0  in  the  reverse  direction. 

Wo  are  only  shifting  events  of  processes  >  pPr  earlier  by  at  most  d.  so  message  delivery  time  is 
kept  <  d.  and  no  message  is  received  before  it  is  sent. 

for  the  third  condition,  note  that  all  clock  tick  intervals  are  of  length  c2  in  o J7,  and  no 
portion  of  this  timed  execution  is  shrunk  by  more  than  the  ratio 

r  2  -  i' 1  -  d 
>'2  -  T\ 

As  the  original  length  of  the  tick  interval  was  o,  the  new  length  of  a  clock  tick  interval  is  at 
least 

r-2  -  Ci  -  d 

c2  ■  - - -  >  c  j  . 

'•  2  - 

by  the  way  i  was  selected.  This  completes  the  proof  of  Claim  -5.13.  ■ 

Now  we  resume  the  proof  of  Lemma  5.12.  Note  the  following  additional  properties  of  o<V: 

•  Any  clock  tick  interval  at  a  proces.-  <  lakes  time  exactly  r2. 

•  Any  clock  tick  interval  at  a  process  >  pPi  that  begins  at  a  time  >  i'2  -  d  takes  time 
exactly  c2. 

•  Any  clock  tick  interval  at  a  process  >  pri  that  begins  at  a  time  <  r<  —  d  and  ends  at  a 
time  11  >  r2  takes  time  at  least  it  —  r2  +  (c2  —  (u  —  r2 ) )( rj  /  c2 ). 

•  I  lie  length  of  the  new  segment  corresponding  to  7,  is  at  most  c2(ni/c|). 


Now  to  get  IXs  from  at'.  we  "shrink"  tin’  portion  of  at'  after  tinm  r>  by  the  ratio  ( Cj  /  c2 ) 
and  move  t ho  l'IAISlli.p._\ )  event  (of  segment  tiller  tin-  GRAST(p,)  eveni  (;it  tlie  end  of 
segment  tints  creating  a  viohition  of  the  nuiliml  exclusion  property.  More  precisely,  if  an 
event  happens  at  time  u‘  in  at'1,  then  the  corresponding  event  happens  at  time  u  in  at.  where: 

1 .  If  m  <  /•_>.  then  a  —  u. 

2.  If  it  >  r2.  then  it'  —  r2  +  ( cj / c_> )( it  —  r2). 

Claim  5.14  at  is  <t  tinted  execution  oj  tin  spstt  in. 

Proof:  The  key  things  that  need  to  bo  shown  are: 

•  No  dock  tick  interval  is  smaller  than  c\. 

•  The  r/.V/.S7/ (/>,_] )  event  occurs  within  time  m  after  the  corresponding  GRAS  l'ipi-i) 
event . 


For  the  first  condition,  if  a  tick  interval  happens  at  process  pj  <  or  a  tick  interval 

starts  no  sooner  than  time  r2  -  <1  in  af.  then  this  clearly  holds,  since  the  properties  of  at' 
stated  above  implies  that  those  intervals  are  of  length  r>. 

The  only  case  left  is  that  of  a  tick  interval  that  occurs  at  a  process  >  pPi  and  .starts  before 
r ,  -  (l  in  at'.  Let  u  be  the  time  at  which  the  interval  ends  in  at'.  If  u  <  r2.  then  the  interval  is 
not  shrunk  at  all.  so  we  can  assume  that  u  >  r2.  Then  by  the  properties  of  at'  stated  above, 
the  length  of  this  interval  in  of  is  at  least  u  -  r2  +  (c2  -  (it  -  r2))(ci/c2).  But  in  going  front 
of  to  at.  only  the  portion  of  the  interval  after  time  r2  gets  shrunk;  therefore,  the  length  of 
the  new  interval  is  at  least 


( u  -  r2)(e1/c2)  +  (c2  -  (a  -  r2))(ci/c2)  =  c, . 


as  needed  for  the  first  condition. 

For  the  second  condition,  the  time  between  the  GltA  S I \p;~  \ )  and  the  (7  RA\T(p, )  in 
at.  i.e..  the  length  of  the  segment  corresponding  to  in  at.  is  at  most  m:  hence  moving 
Ff.Vf.S7/  ( (>,  _  i  )  after  (IRA  flip,)  does  not  violate  tin  m  upper  bound. 

I  his  completes  the  proof  of  Claim  5.1  I.  ■ 

To  complete  t  he  proof  of  Lemma  5.12.  we  need  only  observe  that  at  is  a  timed  execution 
of  the  system  in  which  the  niuhnil  t  xclusion  property  is  violated,  a  contradiction.  ■ 

To  complete  the  proof  of  Theor°m  5.9.  consider  the  execution  n/F,  and  consider  the 
RKQl  F.STi plt)  that  occurs  just  after  the  first  of  the  designated  GRAXT(po)  events  in 
From  Lemma  5.10  it  follows  that 


I oget her  with  l.cnima  5.12  this  implies  that  the  total  time  from  that  R EQU ES T(po)  event 
until  the  corresponding  O'/0\  .YT(po )  event  is  strictly  greater  than 

[n  -  1  ,i(cjt  ;///'(■  i )  +  <l)  +  r>{  in /<' i  )  -  n  ■  cj(  in /c\ )  +  ( ii  -  1  )d  , 

as  claimed.  ■ 


6  Discussion  and  Open  Problems 


In  this  paper,  wo  have  defined  a  timing-based  variant  of  the  mutual  exclush  n  problem,  and 
have  considered  both  centralized  and  distributed  solutions  to  this  problem.  We  have  proved 
upper  bounds  for  both  cases,  based  on  simple'  algorithms:  these  bounds  are  fairly  complicated 
functions  of  clock  t i me.  manager  or  process  stop  time,  moving  time  for  the  moving  parts,  and 
(in  the  distrihmed  case)  message  delivery  time. 

Wo  also  have  proved  corresponding  lower  bounds  for  both  cases.  In  the  centralized  case, 
the  lower  bound  exactly  matches  the  upper  bound,  even  when  the  manager  step  time  and  the 
roundoffs  are  considered.  In  the  more  complicated  distributed  setting,  the  lower  bound  is  very 
close  to  the  upper  bound,  but  does  not  match  if  exactly. 

The  bounds  arc  all  proved  using  the  tiiui (I  automaton  model  for  timing- based  concurrent 
systems.  It  is  interesting  to  ask  how  dependent  the  results  are  on  this  choice  of  model.  The 
timed  automaton  model  differs  from  some  others  in  modeling  process  steps  explicitly  (rather 
than  assuming  the  algorithms  are  interrupt-driven);  thus,  our  results  involving  this  process  step 
time  would  not  be  expected  to  extend  immediately  to  such  interrupt-driven  models  (f»*rept 
possibly  in  the  limit,  as  this  step  time  approaches  zero).  However,  some  of  our  results  -  most 
notably,  the  lower  bound  for  the  distributed  case  -  do  not  involve  process  step  times  and  thus 
appear  to  be  quite  model-independent.  An  alternative  approach  would  be  to  use  a  general 
model  that  describes  interrupt-driven  computation,  but  we  do  not,  yet  know  (in  general)  how¬ 
to  define  such  model. 

There  are  several  open  questions  directly  related  to  the  work  presented  in  this  paper.  First, 
there  is  a  gap  remaining  between  the  upper  and  lower  bound  results  for  the  distributed  resource 
allocation  problem,  liven  neglecting  process  step  time,  there  is  a  difference  of  an  additive  terms 
of  <1.  the  upper  bound  on  message  delivery  time,  and  ii-c2.  then  number  of  processes  times  the 
upper  bound  on  the  clock  tick  time'.  Preliminary  results  suggest  that  under  certain  assumptions 
about  the  relative  sizes  of  the  parameters,  the  upper  bound  can  be  reduced  by  approximately 
(I .  However,  we  do  not  yet  have  a  general  result  about  this. 

Our  lower  bound  for  the  (list  ri  bn  ted  resource  allocation  problem  assumes  that  (u  —  1 )  •  cl  < 
in  ■  ( c 2 / C\ ).  It  would  be  interesting  to  see  if  this  assumption  can  be  removed. 


It  would  also  be  in  teres1  ins  to  consider  the  same  problem  in  a  model  i  n  which  there  are 
nontrivial  lower  bounds  on  the  time  for  message  delivery  (and  perhaps  for  process  steps). 
W  hi lo  our  upper  hound  proofs  still  work  in  this  situation,  the  same  is  not  true  for  our  lower 
bound  proofs.  I  he  strategy  of  shrinking  and  shifting  timed  executions  to  produce  other  timed 
executions  becomes  much  more  delicate  when  lower  bounds  on  these  various  kinds  of  events 
must  also  be  respected. 

Our  results  imply  that  the  ratio  c-ijcx  has  a  significant  impact  on  the  response  time  of 
the  system.  It  would  also  be  interesting  to  consider  the  case  where  a  process  has  more  than 
one  clock,  say  an  additional  clock  with  bounds  [<•'[. c'2].  We  would  like  to  understand  how  the 
results  depend  on  the  four  parameters  c t . r2 . and  c'2 . 

Other  related  problems  can  also  be  studied  using  the  models  and  techniques  of  this  paper. 
0;te  could  deline  timing-based  analogs  of  other  problems  besides  mutual  exclusion  that  have 
been  studied  :n  the  asynchronous  setting  (for  example,  other  exclusion  problems  such  as  the 
(lining  philosopher*  problem,  distributed  consensus  problems,  or  synchronization  problems  such 
as  the  session  problem  of  [A i  1.81]);  it  should  be  possible  to  obtain  combinatorial  results  about 
them  in  the  style  of  the  results  of  this  paper.  In  addition  to  defining  variants  of  asynchronous 
problems,  one  can  also  extract  prototypical  problems  from  practical  real-time  systems  research 
and  use  them  as  a  bads  for  combinatorial  work. 

In  another  direction,  the  algorithm  proofs  presented  here  suggests  general  approaches  to 
verification  of  real-time  systems.  As  mentioned  in  Section  4.1.3.  we  believe  that  there  may  be 
a  unified  method  for  treating  correctness  and  performance  analysis  of  tinting-based  algorithms, 
and  are  currently  exploring  this  possibility  in  [LA]. 

Work  of  the  sort  presented  here  (and  the  extensions  proposed  above)  should  provide  an 
excellent  basis  for  evaluating  the  timed  automaton  model  as  a  general  model  for  reasoning 
about  timing-based  systems  (and  comparing  it  with  alternative  models  for  timing-based  com¬ 
putation  ). 
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A  Proofs  of  Lemmas 


A.l  Proof  of  Lemma  4.2 

The  proof  is  by  induction  on  the  length  of  a  finite  execution,  a,  that  ends  in  state  s.  The 
base,  length  0,  is  trivial  since  II SIS II ( i )  is  not  enabled  in  any  initial  state.  So  suppose  that 
a  =  o'(.s', (w. /), s)  and  the  result  holds  for  o'  and  s'.  We  show  it  holds  for  a  and  s.  We 
consider  cases. 

Case  I:  ~  =  REQUEST(j),  for  some  j,  0  <  j  <  n  —  1,  or  it  =  ELSE. 

First  suppose  that  FIS'ISII (!)  is  enabled  in  s. Astute,  for  some  i,  0  <  i  <  n  —  1  (where 
i  might  or  might  not  be  equal  to  j).  Then  it  is  also  enabled  in  s'.Astate.  The  inductive 
hypothesis  implies  that 

1.  (a)  s'. TIMER  >  0. 

(b)  s'.Ftime(TICK)  +  (s'. TIMER  -  1  )r j  >  s'  .Lthne(FINlSH(i)),  and 

(c)  FISrlSII{  k)  is  not  enabled  in  s'.Astate.  for  any  k  ^  i. 

Since  .s. TIMER  =  .s'.TIMER.  we  have  s. TIMER  >  0.  Since 

s.FtiiueyTlCK )  =  s'  .Ftime(TICK), 


and 


s.Ltime{  FI  FISH  (i))  =  s'.  Lt  imc(  FINISH  ( * ) ) . 
we  have  that 

s.Ftimc(TICK)  +  (a. TIMER  -  lRq  >  s.Llnne{  FINISH  (l)). 

Also.  FINISH (k)  is  not  enabled  in  s. Astute,  for  any  k  ^  i. 

Now  suppose  that  s.TICKED  =  true.  Then  it  must  be  that  7 r  is  REQUEST! j)  and 
s'. TICK  ED  =  true.  Then 

s'.Etimr(TICK)  >  s'.Ltime(LOCAL)  +  cq  —  /. 

Since 

s.Ftime(TICK)  =  s'  .Ftime(TICK), 
and 


s.Ltimc(LOCAL)  =  s'.Uime(LOCAL). 

we  have  that 

s.Ftime(TICK)  >  s.Ltimf  (LOCAL)  +  -  /. 

Case  2:  7r  =  FINISH(j),  for  some  j.  0  <  j  <  n  -  1. 

First  suppose  that  FINISH  (i)  is  enabled  in  s. Astute,  for  some  i,  0  <  i  <  n  —  1.  It  cannot 
be  that  ?'  =  j  so  j  ^  i.  But  then  both  FINISII(i)  and  FINISIi(j)  are  enabled  in  s’ .Astute. 
which  contradicts  the  inductive  hypothesis.  Therefore,  this  case  cannot  occur. 

Second,  suppose  that  s.TICKED  -  true.  Then  the  same  argument  as  in  Case  1  shows  that 
s.Ftime(TICK)  >  s.Ltime(LOCAL)  +  cj  -  /. 


Case  3:  tt  =  TICK. 

First  suppose  that  FINISII[i)  is  enabled  in  s. Astute,  for  some  i,  0  <  i  <  n  —  l.  Then  it  is 
also  enabled  in  s'. Astute,  so  the  inductive  hypothesis  implies  that 

1.  (a)  s'. TIMER  >  0, 

(b)  s'.Fiime(TICK)  +  (s'. TIMER  -  l)ci  >  s' .Ltime(FINISH(i)),  and 

(c)  FINISH(k)  is  not  enabled  in  s'. Astute,  for  any  k  ^  i. 

We  first  prove  that  s. TIMER  >  0.  If  not,  then  it  must  be  that  s'. TIMER  =  1.  Then  the 
inductive  hypothesis  implies  that 

s'.Ftime(TICK)  >  s' .Ltime{FINISH(i)). 


But  then  the  definition  of  time(A)  implies  that  (  TICK,  t)  is  not  enabled  in  s',  since  a  FINISH(i) 
must  happen  first.  This  is  a  contradiction. 

For  invariant  lb,  we  see  that 


s.Ftime(TICK)  + 


> 

> 


(s. TIMER  -  l)Cl 
t  +  Cl  +  (s'. TIMER  -  1  -  l)cj 
t  +  (s'.TIMER-  l)d, 

t  +  s'.Ltime(FINISII(i))  -  s' .Ftime(TICK) 
by  inductive  hypothesis, 
s'.Ltime(FINISH(i)) 
by  the  definition  of  time(A), 
s  .Ltime(  FINISH  (i)). 


Thus, 
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TICK)  +  (s. TIMER  -  l)c,  >  s.Ltime(FINISII{i)). 

The  third  clause  carries  over  easily. 

Now  suppose  (actually,  it  must  happen)  that  s. TICKED  =  true.  Then  s.Ftime(TICK)  = 
t  +  ci  and  s.Ltime)  LOCAL )  <  t  +  l,  so 

s.Ftime(TICK)  >  s.Ltime(LOCAL)  +  ct  —  /. 

Cast  J,:  7T  =  GRANT(j),  for  some  j.  0  <  j  <  n  —  1. 

First  suppose  that  FINISH (i)  is  enabled  in  s.Astate,  for  some  i,  0  <  i  <  n  —  1.  If  i  ^  j , 
then  FINISH(i)  is  also  enabled  in  s'. Astute,  so  by  the  inductive  hypothesis,  s'. TIMER  >  0. 
But  this  contradicts  the  preconditions  of  GRANT(j).  Therefore,  it  must  be  that  i  -  j. 

Then  the  effects  of  GRANT(i)  imply  that  s. TIMER  >  0.  Note  that 
s'.Ltime(LOCAL)  >  t 

(since  GRANT  is  a  locally  controlled  action)  and  that 
s'.Ftime(TICK)  =  s.Ftime(TICK). 


Then 


s.Ftime(TICK)  + 
> 


> 


> 


(s. TIMER  -  l)d 

s'.Flime(  TICK)  +  (s. TIMER  -  l)cj 
s' .Ltime.( LOCAL)  +  cj  -  /  +  (s. TIMER  -  l)Cl 
by  inductive  hypothesis,  since  s'.TICKED  =  true , 
t  +  cj  -  /  +  (.s. TIMER  -  l)cx 
by  the  inequality  above, 

/  +  Ci  -  /  +  ( [(n?  +  /)/c,j)ci 
t  +  m  =  s.Ltime(FIN!SH(i)). 


Tlius, 


s.Ftime(  TICK)  +  (s. TIMER  -  l)c,  >  s.Ltime(FINISII{i.)) 


as  needed. 

The  mutual  exclusion  condition  has  already  been  shown. 

It  is  not  possible  for  TICKED  =  true  in  s.  by  the  effects  of  the  GRANT.  ■ 
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A. 2  Proof  of  Lemma  5.2 

The  proof  is  by  induction  on  the  length  of  a  finite  execution,  a.  that  ends  in  state  s.  The  base, 
length  0.  is  trivial.  So  suppose  that  a-  =  «'($'.  (7r.  1 ).  s)  and  the  result  holds  for  o'  and  s'.  We 
show  it  holds  for  a  and  .s.  by  considering  cases. 

Case  1:  tt  is  a  REQUEST.  ELSE.  FINISH  .  TICK  or  GRANT  action. 

These  steps  do  not  change  the  contents  of  any  channel  or  the  number  of  processes  i  for 
which  s.TOKEN(t)  not. here. 

Case  2:  tt  =  RECEIVE-TOKEN(j).  for  some  j.  0  <  j  <  n  -  1. 

Since  RECEIVE-TOKEN{j)  is  enabled  in  s'.Astate  we  have  that  #tokens(j  —  1)  >  1.  By 
the  induction  hypothesis,  this  implies  that  for  all  processes  i,  s'.TOKEN(i)  =  notjiert.  The 
length  of  one  channel  queue  is  decreased  by  one,  while  one  token  state  (of  j )  is  changed  from 
not.here  to  available;  thus,  the  total  number  of  tokens  on  channels  plus  the  number  of  processes 
holding  the  token  (i.e.,  having  TOKEN  ^  not. here),  is  preserved. 

Case  3:  tt  —  SEND-TOKEN(  j),  for  some  j.  0  <  j  <  n  —  1. 

The  number  of  processes  for  which  s.TOKEN(j)  =  not.here  is  decreased  by  one  relative 
to  .s',  while  the  number  of  messages  on  the  channels  is  increased  by  one.  This  implies  that  the 
sum  we  are  interested  in  remained  the  same.  ■ 

A. 3  Proof  of  Lemma  5.3 

The  proof  is  by  induction  on  the  length  of  a  finite  execution,  a.  that  ends  in  state  s.  The  base, 
length  0,  is  trivial.  So  suppose  that  a  =  a'(s\  (x,  t).  s)  and  the  result  holds  for  o'  and  s'.  We 
show  it  holds  for  a  and  s,  by  considering  cases. 

Case  1:  tt  =  REQUEST{j )  or  tt  —  ELSE(j),  for  some  j,  0  <  j  <  n  —  1. 

First  suppose  that  FINISH (i)  is  enabled  in  s. Astute,  for  some  i.  0  <  i  <  n  —  1  (where 
i  might  or  might  not  be  equal  to  j).  Then  it  is  also  enabled  in  s'.Astate.  The  inductive 
hypothesis  implies  that: 

1.  (a)  s'.TIMER(f)  >  0. 

(b)  s'.Ftinic(  TICK(i))  +  (s'.TlMER(i)  -  l)el  >  s'. Ltime(FINISII(i)).  and 

(c)  s'  .TO  K  E  N  ( /  )  =  used. 

Since  s.TIMER(i)  =  s'.TIMER(i)  we  have  s.TIMER(f)  >  0,  showing  Ja.  Since 

s.Ftime(TICK(i ))  =  s'  .Ftime(TICK{i)). 


and 
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s.Ltime[  FlNISH(i-))  =  s'. Ltime{  FINISH ( t ) ) , 


we  have  that 

s.Ftime(  TICK(i))  +  (,s.TIMER(/ )  -  l)ci  >  s.Ltime(FINISH(i)). 

So  we  have  invariant  lb.  Invariant  lc  carries  over  as  this  step  does  not  change  token  states. 
Now  suppose  that  s.TICKED(t)  -  true. 

Then  .s'.TICKED(  / )  =  true,  and 

s' .Ftime(  riCI\(i))  >  s' .Ltime(LOCAL(i))  +  cx  -  l. 

Since 

s.Ft ime(TlCK(i))  =  s'  .Ftime{TICK(i)) 

and 

s.Ltime( LOCAL(i))  -  s' .Ltime(LOCAL(i)) 
we  have  that 


s.Ftime(TICK(i))  >  s.Ltime(LOCAL(i))  +  cx  -l. 

So  we  have  invariant  2. 

Case  2:  -  =  FINISH  (j),  for  some  j,  0  <  j  <  n  -  I. 

First  suppose  that  FINISH(i)  is  enabled  in  s.Astate,  for  some  i,  0  <  i  <  n  —  1.  It  cannot 
be  that  i  =  j  so  j  ^  i.  Then  FINISH(i)  is  also  enabled  in  s'.  As  FINISH(j)  is  also  enabled  in 
s',  we  have,  by  invariant  lc.  that  s'.TOKEN(j)  =  used.  Similarly,  as  FINISH(i)  is  enabled  in 
s',  we  have,  by  invariant  lc.  that,  .s'.TOKEN(i)  =  used.  But  this  implies  that  the  number  of 
processes  for  which  TOKEN  ^  noiJiere  is  at  least  two,  contradicting  Lemma  5.2.  Therefore, 
this  case  cannot  occur,  and  we  have  invariant  1. 

For  invariant  2.  suppose  that  s.TICKED(/)  =  true.  Then  the  same  argument  as  in  Case  1 
shows  that,  for  all  i, 

s.Ft ime(TICK (i ))  >  s.Uim.e(LOCAL(i))  +  cj  - 

Case  3:  n  =  TlCI\(j).  for  some  j,  0  <  j  <  n  -  1. 

First,  suppose  that  FlMSH(i)  is  enabled  in  s.Astate.  Then  it  is  also  enabled  in  s'. Astute, 
so  the  inductive  hypothesis  implies  that 
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1.  (a)  s'.TIMER(t)  >  0, 

(b)  s' .  Ftime(TICK  ( i))  +  (.s'. TIMER  ( /)  -  i)c,  >  s' .Ltime(FINISH(i)),  and 

(c)  /.TOKEN(i)  =  used. 

We  first  prove  that  s.TIMER(i)  >  0.  If  not.  then  it  must  be  that  s'.TIMER(/)  =  1.  and 
j  =  i.  Then  the  inductive  hypothesis  implies  that 

s'  .Ftime(  TICK(i))  >  s'  .Ltime(FINISII(i)). 

But  then  the  definition  of  time(B)  implies  that  TICK(i)  is  not  enabled  in  s'  (since  FINISH ( i ) 
must  happen  first).  This  is  a  contradiction,  so  we  have  invariant  la. 

For  the  invariant  lb,  if  i  =  j,  then 
.s.TIMER(t)  =  s'.TIMER (?)  -  1 
and  we  see  that 

s.Ftime(TICK(i))  +  (s.TIMER(i)  -  l)c, 

=  t  +  ci  +  (s\TIMER(i)- l-lto 
=  f  +  (/.TIMER(i)-l)c! 

>  t  +  s' .Ltime( FINISH ( t ))  -  s'.Ftimc(  TICK(i)) 

by  inductive  hypothesis. 

>  s'.Lti  me(  F  IN  IS  II  (i)) 

=  s.Ltime(FINISlI(i)). 

Therefore, 

s.Ftime(TICK(i))  +  (s.TIMER(i)  -  l)c,  >  s.Ltime{FINISH{i)), 

and  we  have  invariant  lb.  If  i  ^  j  then  invariant  lb  follows  as  in  Case  1.  Invariant  1c  carries 
over  as  this  step  does  not  change  token  states. 

Now  suppose  that  s.TICKED(t)  =  true.  If  i  -  j ,  then  s.Ftime{TICK(i))  -  t  +  ex  and 
s.Ltime( LOCAL(i))  <  t  +  /,  so 

s,Ftirne(TICK(i))  >  s.Ltivie(LOCAL{i ))  +  Ci  —  l  , 

as  needed  for  invariant  2.  On  the  other  hand,  if  i  ^  j.  then  s'.TICKED(t)  -  true  and  the 
induction  hypothesis  on  invariant  2  implies  that 

s'.Ftime(TICK(i))  >  s' .Ltime(LOCAL(i))  +  e\  —  l. 
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Then  invariant  2  for  s  follows  as  in  Case  1. 

Case  4 ■  x  =  GRANT(j),  for  some  j,  0  <  j  <  n  —  1. 

Then  s'. TOKEN  =  available.  First  suppose  that  FINISH(i)  is  enabled  in  s.Astate,  for 
some  i,  0  <  i  <  n  —  1.  If  t  j  then  FINISH(i)  is  also  enabled  in  s'.Astate,  so  by  inductive 
hypothesis  (invariant  lc),  s'.TOKEN(i)  =  used.  But  this  contradicts  Lemma  5.2,  so  i  -  j. 

Then  the  effects  of  GRANT(j)  imply  that  s.TIMERQ)  >  0,  so  we  have  invariant  la.  Note 
that 

s'  .Ltime{LOCAL(j))  >  t 
and  that 

s'.Ftime(  TICK(j))  =  s.Ftime(TICK(j)). 

Then 

s.Ftime(  TICK(j))  +  (s.TIMER(j)  -  l)d 

=  s' .Ftime( TICK(j))  +  (s.TIMER(j)  -  l)ci 

>  s'  .Ltime(LOCAL(j))  +  cx  -  /  +  (s.TIMER(j)  -  l)Cl 
by  inductive  hypothesis, 

>  t  +  Cl  -/  +  (s.TIMER(j)-  l)d 

-  /  +  ci  -  /  A  (L(m  +  /)/c!j)ci 

>  t  +  m  =  s.Ltime(FINISH(j)). 

Thus, 

s.Ftime{  TICK(j))  +  (s.TIMER(j)  -  l)ci  >  s.Ltime(FINlSH{j)) 
and  we  have  invariant  lb. 

Invariant  lc  follows  from  the  effects  of  the  GRANT. 

Now  suppose  that  s.TICKED(r)  =  true.  Then  the  effects  of  GRANT(j)  implies  that  j  i. 
Then  invariant  2  follows  as  in  Case  3. 

Case  5:  n  —  RECEIVE-TOKE N(  j ) ,  for  some  j,  0  <  j  <  n  —  1. 

From  the  inductive  hypothesis  on  invariant  lc  and  Lemma  5.2  it  follows  that  FINISH (i)  is 
not  enabled  in  s' ,  hence  it  is  not  enabled  in  s.  So  we  have  invariant  1. 

Invariant  2  follows  as  in  Case  1. 

Case  6:  i r  =  SEND-TOKEN(j),  for  some  j,  0  <  j  <  n  -  1. 

If  FINISH (i)  is  enabled  in  s,  then  it  is  also  enabled  in  s' ,  but  then  from  invariant  la  it  follows 
that  s'.TIMER(j)  >  0,  so  SEND-TOKEN(j)  is  not  enabled  in  s'.  This  is  a  contradiction,  so 
invariant  1  holds. 


Invariant  2  follows  as  in  Case  1. 
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